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Abstract — We provide bounds on the efficiency of secure one- 
sided output two-party computation of arbitrary finite functions 
from trusted distributed randomness in the statisticaf case. From 
these resuits we derive bounds on the efficiency of protocois 
that use different variants of OT as a biack-box. When appfied 
to implementations of OT, these bounds generalize most known 
results to the statistical case. Our results hold in particular for 
transformations between a finite number of primitives and for 
any error. In the second part we study the efficiency of quantum 
protocols implementing OT. While most classical lower bounds 
for perfectly secure reductions of OT to distributed randomness 
still hold in the quantum setting, we present a statistically 
secure protocol that violates these bounds by an arbitrarily large 
factor. We then prove a weaker lower bound that does hold in 
the statistical quantum setting and implies that even quantum 
protocols cannot extend OT. Finally, we present two lower bounds 
for reductions of OT to commitments and a protocol based on 
string commitments that is optimal with respect to both of these 
bounds. 

Index Terms — Unconditional security, oblivious transfer, lower 
bounds, two-party computation, quantum cryptography. 

I. Introduction 

Secure multi-party computation allows two or more distrust- 
ful players to jointly compute a function of their inputs in a 
secure way [2|. Security here means that the players compute 
the value of the function correctly without learning more than 
what they can derive from their own input and output. 

A primitive of central importance in secure multi-party 
computation is oblivious transfer (OT). In particular, OT is 
sufficient to execute any two-party computation securely 0, 
J4) and OT can be precomputed offline, i.e., before the actual 
inputs to the computation are available, and converted into 
OTs later. The original form of OT ((l)-RabinOT 1 ) has been 
introduced by Rabin in Q. It allows a sender to send a bit 

x, which the receiver will get with probability |, while the 
sender does not learn whether the message has arrived or not. 
Another variant of OT, called one-out-of-two bit-OT ( ( J) -OT 1 ) 
was defined in J6J. Here, the sender has two input bits xq and 

xi. The receiver gives as input a choice bit c and receives x c 
without learning x±- c . The sender gets no information about 
the choice bit c. Other important variants of OT are (") -OT fe 
where the inputs are strings of k bits and the receiver can 
choose t < n out of n secrets and (p)-RabinOT' 8 where 
the inputs are strings of k bits and the erasure probability 
is p e [0, 1]. 

A preliminary version of this work appealed in JT]. 
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If the players have access to noiseless classical or quan- 
tum communication only, it is impossible to implement 
information-theoretically secure OT, i.e. secure against an 
adversary with unlimited computing power. The primitives 
(p)-RabinOT fe and (^)-OT 1 are equally powerful [7], i.e., 
one can be implemented from the other. Numerous reductions 
of (™)-OT fe to (2)-OT fe ' are known 0, @, d, ED, US- 
There has also been a lot of interest in reductions of OT to 
weaker primitives. For example, OT can be realized from noisy 
channels [13), ED, E3, ESI, noisy correlations ifTTl. ifljfl. 
or weak variants of oblivious transfer ifPJI . lfi"9l . ll20l . lETIl . 
ES, G3. 

In the quantum setting, OT can be implemented from black- 
box commitments 1241 . ll25ll . ll26l . (27); this reduction is 
impossible in the classical setting^. 

Given these positive results it is natural to ask how efficient 
such reductions can be in principle, i.e., how many instances 
of a given primitive are needed to implement OT. 

A. Previous Results 

Several lower bounds for OT reductions are known. The 
earliest impossibility result for information-theoretically se- 
cure reductions of OT [1281 shows that the number of Q -OT 1 
cannot be extended, i.e., there does not exist a protocol using 
n instances of (^)-OT 1 that perfectly implements m > n 
instances. Lower bounds on the number of instances of OT 
needed to perfectly implement other variants of OT have been 
presented in IfTTl (see also [29|). These bounds have been 
strengthened and generalized to secure sampling of arbitrary 
two-party distributions in lfl2l . QUI . lf3"D . IT321 . These bounds 
apply to the semi-honest model (where dishonest players 
follow the protocol, but try to gain additional information 
from the transcript of the computation) and in the case of 
implementations of OT also to the malicious model (where 
dishonest players behave arbitrarily). In the malicious model 
these bounds can be improved [33 1. Lower bounds on the 
number of ANDs needed to implement general functions have 
been presented in lf34l . 

These results only consider perfect protocols and do not 
give much insight into the case of statistical implementations. 
As pointed out in J33), their result only applies to the perfect 
case, because there is a statistically secure protocol that is 
more efficient [35]. There can be a large gap between the 
efficiency of perfect and statistical protocols, as shown in [34|: 

The existence of a classical reduction of OT to bit commitment in the ma- 
licious model would imply a semi-honest OT protocol from a communication 
channel only. 



The number of OTs needed to compute the equality function is 
exponentially bigger in the perfect case than in the statistical 
case. Therefore, it is not true in general that a bound in the 
perfect case implies a similar bound in the statistical case. 

So far very little is known in the statistical case. In [36] a 
proof sketch of a lower bound for statistical implementations 
of (^)-OT fc has been presented. However, this result only 
holds in the asymptotic case, where the number n of resource 
primitives goes to infinity and the error goes to zero as n 
goes to infinity. In 041 a non-asymptotic lower bound on the 
number of ANDs needed for one-sided secure computation 
of arbitrary functions with Boolean output has been shown. 
This result directly implies lower bounds for protocols that 
use (™) -OT fe as a black-box. However, besides being restricted 
to Boolean-valued functions this result is not strong enough 
to show optimality of several known reductions and it does 
not provide bounds for reductions to randomized primitives 
such as (i)-RabinOT 1 . The impossibility results for perfectly 
secure implementations of randomized two-party primitives 
of OTl . 02l should also generalize to the case of a small 
statistical error according to the authors. 

In the quantum setting almost all known negative results 
show that a certain primitive is impossible to implement from 
scratch. Commitment has been shown to be impossible in the 
quantum setting in [37 1, [38 1. Using a similar proof, it has been 
shown in [39| that general one-sided two-party computation 
and in particular oblivious transfer are also impossible to 
implement securely in the quantum setting. 

The only lower bounds for quantum protocols where the 
players have access to resource primitives (such as different 
variants of OT) have been presented in [40 1, where The- 
orem 4.7 shows that important lower bounds for classical 
protocols also apply to perfectly secure quantum reductions. 

B. Contributions 

In Section [Til] we consider statistically secure protocols 
that compute a function between two parties from trusted 
randomness distributed to the players. We provide two bounds 
on the efficiency of such reductions — in terms of the 
conditional Shannon entropy and the mutual information of 
the randomness — that allow us in particular to derive bounds 
on the minimal number of (")-OT fe or (p)-RabinOT fc needed 
to compute a general function securely. Our results hold in 
the non-asymptotic regime, i.e., we consider a finite number 
of resource primitives and our results hold for any error. 

We will use the formalism of smooth entropies to show 
that one of these two bounds can be generalized to a bound 
in terms of the conditional min-entropy. This leads to tighter 
bounds in many cases and to arbitrarily better bounds for some 
reductions. 

In Section IIII-AI we provide an additional bound for the 
special case of statistical implementations of (")-OT fc in the 
semi-honest model. Lower bounds for implementations of 
OT in the semi-honest model imply similar bounds in the 
malicious model (cf. Section IIII-EI and Appendix [A]). The 
bounds for implementations of (™) -OT fe (Theorem @]l imply 
the following corollary that gives a general bound on the 
conversion rate between different variants of OT. 



Corollary 1: For any reduction that implements M in- 
stances of (^)-OT from m instances of ("j-OT* 1 in the 
semi-honest model with an error of at most e, we have 

to f(N-l)K K \ogN\ , 

— > max ^ -4—, — , — — - INK ■ (e + Me)) . 

M ~ \ (n- l)k ' jfc ' logn / v w; 

Corollary Q] generalizes the lower bounds from lITTl . lILTl . 
ll30l to the statistical case and is strictly stronger than the 
impossibility bounds from [36|. If we let M = m + 1, 
N = n = 2 and K = k = 1, we obtain a stronger 
version of Theorem 3 from [28] which states that OT cannot 
be extended. Note that the impossibility results for perfectly 
secure implementations of randomized two-party primitives of 
OTl . 02l deliver stronger bounds in general (cf. Example 4.1 
in 02l ). and according to the authors these results should also 
generalize to the case of a small statistical error. However, in 
contrast to our results they are restricted to randomized prim- 
itives only and do not apply to general two-party functions. 

Our lower bounds show that the following protocols are 
(close to) optimal in the sense that they use the minimal 
number of instances of the given primitive. 

• The protocol in II4TI . iflTl which uses instances of 
(™)-OT fe to implement ( N 1 )-0~X k is optimal. 

• The protocol in lfT2l which uses t instances of 
(™)-OT fc ™' 1 to implement ("^-OT* is optimal. 

• In the semi-honest model, the trivial protocol that imple- 
ments (?)-OT from k instances of (J)-OT 1 is optimal. 
In the malicious case, the protocol in [33] uses asymptot- 
ically (as k goes to infinity) the same amount of instances 
and is therefore asymptotically optimal. 

• The protocol in ll42l that implements Q-OT fc from 
(i)-RabinOT 1 in the malicious model is asymptotically 
optimal. 

While previous results suggest that quantum protocols are 
not more efficient than classical protocols for reductions 
between different variants of oblivious transfer, we present 
in Section [IV] a statistically secure protocol that violates the 
classical bounds and the bound for perfectly secure quantum 
protocols by an arbitrarily large factor. More precisely, we 
prove that, in the quantum setting, string oblivious transfer 
can be reversed much more efficiently than by any classical 
protocol. We show that a weaker lower bound for quantum 
reductions holds also for quantum protocols in the statistical 
setting (Theorem [S). This result implies in particular that 
quantum protocols cannot extend oblivious transfer, i.e., there 
exists a constant c > such that any quantum reduction 
of to + 1 instances of (^)-OT 1 to m instances of (^)-OT 1 
must have an error of at least — , Finally, we also derive a 
lower bound on the number of commitments (Theorem [TUt 
and on the total number of bits the players need to commit to 
(Theorem[7]l in any e-secure implementation of (^)-OT fc from 
commitments. 

Corollary 2: A protocol that implements Q-OT , using 
commitments only, with an error of at most < e < 0.002 
must use at least log(l/e) — 6 individual commitments and 
needs to commit to at least (1 — 3\fe) • k — 3/i(y / e) bits in 
total. 
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II. Preliminaries 

We denote the distribution of a random variable X by 
Px(x). Given the distribution Pxy over X x y, the marginal 
distribution is denoted by Px{x) := ^2 y£ y Pxy {x, y)- For 
every y G y with Py{v) > 0, the conditional distribution 
Px\r(x,y) ■= PxY{x,y)/PY{y) over X x y defines a 
distribution P X \y= v with ^ > x|i , '=»( a; ) = ^Xiy^jf) over 
X. Given an event 51 and random variables X and Y with 
a joint distribution Pqxy, we use the notation Pxn\Y=y 
for the sub-normalized distribution with Pxn\Y=y{x) '■= 
Px\Y=y{x)Pn\x=x,Y=y{\-) ■ We will also use the shorthand 
notation Pn\x=x to denote the probability Pq\x=x(^)- We use 
the convention that Pxn\Y=y( x ) = if Py(v) = 0. 

The statistical distance between the distributions Px and 
Px< over the domain X is defined as the maximum, over all 
(inefficient) distinguishers 6 : X — > {0, 1}, of the distinguish- 
ing advantage: 

D(Px,Px') ■= max | Pr{5(X) = 1] - Pt[5(X') = 1] | . 
s 

If D(Px , Px') < £, we may also say that Px is e-close to 
Px 1 - The support of a distribution Px over X is defined as 
supp(Px) := {x E X : Px(x) > 0}. If a; = (xx,...,x n ) 
and T := . . . , ik} Q {1,2,..., n}, then xt denotes the 
sub-string (xi 1 , Xj 2 , . . . , Xi k ) of x. If x, y € {0, 1}", then x(By 
denotes the bitwise XOR of x and y. 



A. Information Theory 

The conditional Shannon entropy of X given Y is defined 
afl 

ff(X|y):=- £ PxyfoyJlogPjriyfo!/). 

(x,s/)esupp(Pxv) 

The mutual information of X and Y given Z is defined as 

I(X; Y\Z) := H(X\Z) - H(X\YZ) . 
We use the notation 

Hp) ■= -piogp- (i - p) log(i - p) 

for the binary entropy function, i.e., is the Shannon 

entropy of a binary random variable that takes on one value 
with probability p and the other with 1 — p. Note that the 
function h(p) is concave, which implies that for any < p < 1 
and < c < 1, we have 

h{c-p)>c-h{p) . (1) 

We will need the chain-rule 

H(XY\Z) = H(X\Z)+H(Y\XZ) , (2) 

and the following monotonicity inequalities 

H(XY\Z) > H{X\Z) > H(X\YZ) , (3) 
I(WX; Y\Z) > I(X; Y\Z) . (4) 

2 All logarithms are binary. 



We will also need 

H(X\YZ)=J2 p z(z)-H(X\Y,Z = z). (5) 

z 

X -R> Y <-> Z implies that 

H(X\Z) > H(X\YZ) = H(X\Y) . (6) 

It is easy to show that if W «-> XZ <-> Y, then 

I(X; Y\ZW) < I(X; Y\Z) and (7) 
I(W;Y\Z) < I(X;Y\Z) . (8) 

We will need the following lemma that we prove in Ap- 
pendix Icl 

Lemma 1: Let (X, Y), and (X, Y) be random variables dis- 
tributed according to Pxy and P X y, and let D(Pxy , P X y) — 
e. Then 

H(X\Y) >H(X\Y)-elog\X\-h(e) . 

Lemma [T] implies Fano's inequality: For all X,X E X with 

Pr[X ^ X] < e, we have 

H(X\X) <e-log\X\+h(e) . (9) 

B. Smooth Entropies 

The min-entropy H m i n (X) is the negative logarithm of the 
probability of the most likely element 

H min (X) := - logmaxPx(x) . 

X 

The max-entropy is defined as the logarithm of the size of the 
support of Px 

ffmaxPO :=log|sU PP (Px)| . 

There is no standard definition of conditional min- or max- 
entropy. A natural definition of the min-entrop}j| is the fol- 
lowing 

#minW) = = -log^Py(y)maxPx|y =y (x) 

V 

= - log V" max P X y (x,y) . 

* * X 

V 

Then 2 _H n««( x l r ^ corresponds to the maximal probability 
to guess X from Y. In contrast to Shannon entropy, min- 
and max-entropies are not robust to small changes in the 
distribution. Therefore, one often considers smoothed versions 
of these measures, where the entropy is optimized over a 
set of distributions that are close in terms of some distance 
measure. While the concept of smoothed entropies has already 
been used in the literature on randomness extraction [45], the 
term smooth entropy has been introduced in [46 1. There it 
has been shown that the smoothed conditional min- and max- 
entrop>0 have similar properties as the Shannon entropy, i.e., 
they satisfy a chain rule, monotonicity and subadditivity. 

3 This definition has been introduced in |43 | in the context of cryptography. 
Furthermore, it corresponds to the definition of quantum conditional min- 
entropy [44] for the special case of classical states. 

4 The variant of conditional min-entropy used there is different from the 
one we consider in this article. 
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Definition 1: For random variables X, Y and e E [0, 1), we 
define 

H ma.x( x \ Y ) ■= nD ™n maxlog |supp {P X n\Y= y )\ 

U:Pr[UJ>l— e y 

H LiJ x \ Y ) ■■= n max - log^ iY(y) maxP X n\Y= y (x) 

y 

In Appendix [B] we prove various properties of the entropies 

H^. m (X\Y) and H^(X\Y). 



C. Primitives and Randomized Primitives 

In the following we consider two-party primitives that take 
inputs x from Alice and y from Bob and output x to Alice and 
y to Bob, where (x,y) are distributed according to P X Y\xy- 
For simplicity, we identify such a primitive with P X Y\ X y- If 
the primitive has no input and outputs values (u, v) distributed 
according to Puv, we may simply write Puv- If the primitive 
is deterministic and only Bob gets an output, i.e., if there 
exists a function / : X x y — > Z such that P X y\x=x y= a (-L 
, f(x, y)) = 1 for all x, y, then we identify the primitive with 
the function /. 

Examples of such primitives are (™)~OT , (p)-RabinOT fe , 
EQ„ and IP„: 

• (™)-OT fc is the primitive where Alice has an input x — 

(xo, ■ ■ ■ ,x n -i) € {0, l} fc ™, and Bob has an input c C 
{0, ...,n — 1} with \c\ = t. Bob receives y = x\ c £ 
{0,l} tk . 

• (p)-RabinOT fc is the primitive where Alice has an input 
x € {0, l} k . Bob receives y which is equal to x with 
probability p and A otherwise. 

. The equality function EQ„ : {0, 1}™ x {0, 1}™ -> {0, 1} 
is defined as 



BQ n (x,y) := 



1, if x 



0, otherwise 



The inner-product-modulo-two function IP„ 
{0,1}" x {0,1}™ -> {0,1}™ is defined 
\P n (x,y) := ®f =1 x l y l . 



as 



We often allow a protocol to use a primitive Pjjv that does 
not have any input and outputs u and v distributed according 
to the distribution Puv to the players. This is enough to 
model reductions to (™)-OT and (p)-RabinOT fc , since these 
primitives are equivalent to distributed randomness Puv, i-e-, 
there exist two protocols that are secure in the semi-honest 
model: one that generates the distributed randomness using 
one instance of the primitive, and one that implements one 
instance of the primitive using the distributed randomness as 
input to the two parties. The fact that (^)-OT 1 is equivalent to 
distributed randomness has been presented in 11241 . [47 1 . The 
generalization to (™) -OT fc is straightforward. The randomized 
primitives are obtained by simply choosing all inputs uni- 
formly at random. For (p)-RabinOT fe , the implementation is 
straightforward. Hence, any protocol that uses some instances 
of (™)-OT or ( P )-RabinOT fc can be converted into a protocol 
that only uses a primitive Puv without any input. 



D. Protocols and Security in the Semi-Honest Model 

We will consider the following model: The two parties 
use a primitive Puv that has no input and outputs values 
(u, v) distributed according to Puv to the players. Alice 
. and Bob receive inputs x and y. Then, the players exchange 
messages in several rounds, where we assume that Alice sends 
the first message. If i is odd, then Alice computes the i-th 
message as a randomized function of all previous messages, 
her input x and u. If i is even, then Bob computes the i-th 
message as a randomized function of all previous messages, 
his input y and v. We assume that the number of rounds 
is bounded by a constant t. By padding the protocol with 
empty rounds, we can thus assume without loss of generality 
that the protocol uses t rounds in every execution. After t 
rounds, Bob computes his output z as a randomized function 
of (M, V, y), where M — (Mi, . . . , M t ) is the sequence of all 
messages exchanged. It is easy to check that inequalities (0 
and dHJ imply that, for every distribution of the inputs X and 
Y, we have I(Z;XU\YVM) = 0, I(ZY;X\VM) = and 
I(ZYV;X\UM) = 0. 

We will consider the semi-honest model, where both players 
behave honestly, but may save all the information they get 
during the protocol to obtain extra information about the 
other player's input or output. A protocol securely implements 
/ : X x y —> Z with an error e, if the entire view of each 
player can be simulated with an error of at most e in an 
ideal setting, where the players only have black-box access 
to the primitive / : X x y — > Z. Note that this simulation 
is allowed to change neither the input nor the output. This 
definition of security follows Definition 7.2.1 from ||481 . but is 
adapted to the case of computationally unbounded adversaries 
and statistical indistinguishability. 

Definition 2: Let II be a protocol with black-box access to 
a primitive Puv that implements a primitive f : X xy ^ Z. 
The random variables View^(x, y) and View^(x, y) de- 
note the views of Alice and Bob on input (x, y) defined 
as (x, u, mi, . . . , m t ,rA) and (x, v, mi, . . . , mt, re), respec- 
tively, where ta (tb) is the private randomness of Alice (Bob), 
m, represents the i-th message and u. v is the output from 
Puv- Outg(x,y) denotes the output (which is implicit in the 
view) of Bob on input (x,y). The protocol is secure in the 
semi-honest model with an error of at most e, if there exist 
two randomized functions SU and Sb, called the simulator^ 
such that for all x and y: 

D((View^{x,y),Out^{x,y)),(S A (x),z)) <e, 
D((z, S B (y, z)), {Out^(x, y), Vtew^{x, y))) < e , 

where z = f(x, y). 

Note that security in the semi-honest model does not directly 
imply security in the malicious model, as the simulator is 
allowed to change the input/output in the malicious model, 
while he is not allowed to do so in the semi-honest model. 
We will, therefore, also consider security in the weak semi- 
honest model, which is implied both by security in the semi- 
honest model and by security in the malicious model. Here, the 

5 We do not require the simulator to be efficient. 
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simulator is allowed to change the input to the ideal primitive 
and change the output from the ideal primitive. Thus, in order 
to show impossibility of certain protocols in the malicious and 
in the semi-honest model, it is sufficient to show impossibility 
in the weak semi-honest model. 

E. Sufficient Statistics 

Intuitively speaking, the sufficient statistics of X with 
respect to Y, denoted X \ Y, is the part of X that is 
correlated with Y . 

Definition 3: Let X and Y be random variables, and let 
f(x) — Py\x=x- The sufficient statistics of X with respect to 

Y is defined as X \ Y = f(X). 

It is easy to show (see for example [49 1) that for any Pxy, 
we have X «-> X \ Y «-> Y. This immediately implies that 
any protocol with access to a primitive Pjjv can be trans- 
formed into a protocol with access to Pu\v,V\U (without 
compromising the security) because the players can compute 
Puv from Pu\V,V\U privately. Thus, in the following we 
only consider primitives Pjjv where U — U \ V and 

V — V \ u. 

F. Common Part 

The common part was first introduced in [50]. In a cryp- 
tographic context, it was used in [17|. Roughly speaking, the 
common part X A Y of X and Y is the maximal element 
of the set of all random variables (i.e., the finest random 
variable) that can be generated both from X and from Y 
without any error. For example, if X = (Xq,Xi) E {0, l} 2 
and Y = (Y ,Yx) € {0, l} 2 , and we have X Q = Y and 
Pr[Xi 7^ Yi] = e > 0, then the common part of X and Y is 
equivalent to Xq. 

Definition 4: Let X and Y be random variables with distri- 
bution Pxy- Let X := supp(Fx) and y := supp(Py). Then 
X AY, the common part of X and Y, is constructed in the 
following way: 

• Consider the bipartite graph G with vertex set X U y, 
and where two vertices x E X and y g y are connected 
by an edge if Pxy(x,u) > holds. 

• Let fx ■ X —> 2 Xuy be the function that maps a vertex 
v E X of G to the set of vertices in the connected 
component of G containing v. Let fy '■ y —> 2 XU ^ 
be the function that does the same for a vertex w E y of 
G. 

. X AY := f x (X) = f Y (Y) . 

III. Impossibility Results for Classical Secure 
Function Evaluation 

Let a protocol be an e-secure implementation of a primitive 
/ : X x y —> Z in the semi-honest model. Let Pxy be 
the input distribution and let M be the whole communication 
during the execution of the protocol. Then the security of the 
protocol implies the following lemma that we will use in our 
proofs. 

Lemma 2: 

H(X\VM) > H(X\Yf(X, Y)) - elog \X\ - h(e) . 



Proof: The security of the protocol implies that there 
exists a randomized function Sb, the simulator, such that 
V(Pxys b (yj(x,y)),Pxyvm) < £■ We can use Lemma [TJ 
and © to obtain 

H(X\VM) > H(X\S B (Y,f(X,Y))) - elog\X\ - h(e) 
> H (X\Yf(X, Y))- elog | X\ - h{e) . 

■ 

We will now give lower bounds for information- 
theoretically secure implementations of functions f : Xxy ^ 
Z from a primitive Pjjy in the semi-honest model. Let 
f : X x y — > Z be a function such that 

Vx ? x 1 e X By e y : f(x, y) £ f(x', y) . (10) 

This means that it is possible to compute x from the 
set {(f(x,y),y) : y G y} for any x. In any secure 
implementation of /, Alice does not learn which y Bob has 
chosen, but has to make sure that Bob can compute f(x, y) for 
any y. This implies that she cannot hold back any information 
about x. The statement of Lemma [3] formally captures this 
intuition. 

Unless otherwise specified, we assume that Alice and Bob 
choose their inputs X and Y uniformly at random in the 
following. 

Lemma 3: For any protocol that is an e-secure implemen- 
tation of a function f : X x y ^ Z that satisfies ( flOb in the 
semi-honest model, we have for any y G y 

H(X\UM,Y = y) < (3|^|-2)(elog|Z| + / l (e)) 

Proof: There exists a randomized function Sa, the sim- 
ulator, such that 

V(PXMU\Y= V , PxSa(X)) < £ 

for all y E y. Therefore, the triangle inequality implies that 
for any y, y' 

D(PxMU\Y=y: PxMU\Y=y') < 2e . (11) 

It holds that I(X; Z\UM, Y = y) = 0. Furthermore, we have 
Pr[Z ^ f(X, Y) | Y = y] < e. Thus, it follows from © and 
© that 

H(f(X,y)\UM,Y = y) < H(f(X,y)\Z,Y = y) 

<e-\og\Z\ + h(s) . (12) 

Together with (fTTT i and LemmafTJthis implies that for any y, y' 

H(f(X, y)\UM, Y = y')< 3elog \Z\ + h(e) + h(2e) 
<3(elog|Z| + /i(e)) , 

where the second inequality follows from ([TJ. Since X can be 
computed from the values f{X, yi), . . . , f(X, y\y\), we obtain 

H(X\UM,Y = y) 

< H(f(X, Vl ),... f(X, y m )\UM,Y = y) 

< J2 H(f(X,y')\UM,Y = y) 
y'ey 

<(3|y|-2)( e log|Z| + fc( e )), 
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where we used (01 in the first and <J2J and (f3) in the second 
inequality. ■ 
Theorem 1: Let f : X xy ^> Z be a function that satisfies 
([Tol l. If there exists a protocol that implements / from a 
primitive Pjjy with an error e in the semi-honest model, then 

H(U\V)>m a xH(X\f(X,y)) 
y 

-(3\y\-l)(elog\Z\ + h(e))-e\og\X\ . 

Proof: Let y £ y. By Lemma [3] and inequality (O, we 
conclude that 

H(X\UVM,Y = y) < H(X\UM,Y = y) 

< {Z\y\ - 2){e log \Z\ +h(e)). 

We can use (01, (O and Lemma Q] to obtain 

H(X\VM,Y=y) 

= H(U\VM,Y= y) + H(X\UVM,Y = y) 

- H(U\XVM,Y = y) 
< H(U\VM,Y = y) + (3|y| - 2)(elog|Z| + h(s)) 
<H(U\V) + (3\y\~2)(elog\Z\ + h(e)) . 

By Lemma |2l we know that 

H(X\f(X,y))-elog\X\-h(e)<H(X\VM,Y = y) . 

The statement follows by maximizing over all y. ■ 
Note that in ( fT2] > the term log \Z\ could be replaced by 

d f :=logmax|{/(z,y) : x € X}\ < lognun(|Z|, \X\). 
y 

The resulting bound, 

H(U\V) >m&xH(X\f(X,y)) 
y 

-(3\y\~l)(e-d f + h(e))-elog\X\ , 

is stronger in general, but does not lead to improved results 
for the examples considered here. 

If the domain \y\ of a function is large, Theorem Q] may 
only imply a rather weak bound. A simple way to improve this 
bound is to restrict the domain of /, i.e., to consider a function 
f{x,y) : X' x y -> Z where X' C X and / c J with 
f'(x, y) = f(x, y) that still satisfies condition ( TTOb . Clearly, 
if / can be computed from a primitive Pjjv with an error 
e in the semi-honest model, then /' can be computed with 
the same error. Thus, any lower bound for /' implies a lower 
bound for /. 

Corollary 3: For any implementation of m independent 
instances of (™) -OT fc from a primitive Pjjv that is e-secure in 
the semi-honest model, the following lower bound must hold: 

H(U\V) > ((1 - e)n - t)km - (3\n/t] - 1) (emtk + h(e)) . 

Proof: We can choose subsets C, C {0, . . . , n — 
1}, with 1 < i < \n/t\, of size t such that C t = 

{1, . . . , n}, and restrict Bob to choose one of these sets as 
input for every instance of OT. It is easy to check that condition 
([Tol l is satisfied. The statement follows from Theorem Q] ■ 
For our next lower-bound, the function / must satisfy the 
following property. Let / :A"x^->Zbea function such 



that there exist y 1 e y such that 

Vx^x'eX:f(x, yi )^f(x', yi ), (13) 

and j/2 G y such that 

Vx,x' eX:f(x,y 2 ) = f(x', y2 ). (14) 

Therefore, Bob will receive Alice's whole input if his input is 
yi, and will get no information about Alice's input if his input 
is j/2- This property can for example be satisfied by restricting 
Alice's input in (™)-OT ,c , as we will see in Corollary |4] 

Let Alice's input X be uniformly distributed. Loosely 
speaking, the security of the protocol implies that the com- 
munication gives (almost) no information about Alice's input 
X if Bob's input is y 2 - But me communication must be 
(almost) independent of Bob's input, otherwise Alice could 
learn Bob's input. Thus, Alice's input X is uniform with 
respect to the whole communication even when Bob's input is 
2/i. Let now Bob's input be fixed to 2/1 and let M be the whole 
communication. The following lower bound can be proved 
using the given intuition. 

Lemma 4: 

H(f(X, yi )\M,UAV,Y = yi ) 

>log|Af|-6(Elog|*|+/»(E)) . 

Proof: Let gu , gy be the functions that compute the 
common part of Pjjv- As in inequality ( fTTT ) in the proof of 
Lemma [3] we obtain that 

D(PxMU\Y=y, PxMU\Y=y') < 2e . 

for all y y' E y. This implies that 

D(PxM gu (U)\Y=y, PxM gu {U)\Y=y') < 2£ , (15) 

and 

V(PxPMg u (U)\Y=y,PxPMg a (U)\Y=y>) < 2e • (16) 

Since the protocol is secure, there exists a simulator Sb such 
that 

£>(PxMV\Y=y 2 i PxS B (y2,f(X,y 2 ))) < £ • 

From the property (TT4l . we can conclude that 

V(P X MV\Y=y 2 , P xPs B (y2,f(X,y 2 ))) < £• 

Therefore, we can use the triangle inequality to derive the 
following upper bound on the distance from uniform of X 
with respect to MgyiU) conditioned on y 2 : 

£>(PxM gu (U)\Y=y 2 , PxPmqu (U)\ Y=y 2 ) 

< D(PxMV\Y=y 2 , PxPMV\Y=y 2 ) 

< V(P X MV\Y=y 2 ,PxPs B (y 2 J(X,y 2 ))) 

+ U(P X P SB (y 2 J(X,y 2 )),Px PMV\Y=y 2 ) 

< 2e . (17) 

This implies that a weaker upper bound also holds conditioned 
on 2/i as follows: We can use the triangle inequality again to 
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conclude from (T5[ , ( fT6l l and (fTTI i that 

D {PxMgu (U)\Y= yi ,Px Pm 9u (U)\Y= yi ) 

< U(P XMgu{U ) l Y=y 1 ,PxMg u (U)\Y=y 2 ) 

+ D {PxMgu {U)\Y=y 2 , Px Pm 9u {U)\Y=y 2 ) 
+ D (P X P Mflf7 (c/ ) | y =y2 , P X PM au (U) | Y= yi ) 

< 6e . 

Therefore, we obtain 

H(f(X, yi )\M,UAV,Y = yi ) 

= H(X\M,UAV,Y = yi ) 
>log\X\-6(elog\X\-h(e)) , 

where we used Lemma [1] ■ 

We use Lemma |4] to prove the following lower bound 
on the mutual information of the distributed randomness for 
implementations of a two-party function / from a primitive 
Puv m the semi-honest model. 

Theorem 2: Let f : X xV — > Z be a function that satisfies 
( fT3] l and (TBI . Then, for any protocol that implements / with 
an error of at most e in the semi-honest model from a primitive 
Puv, the following lower bound must hold: 

I(U; V) > I(U;V\UAV) 

> log \X\-7(e log \X\+h(e)) . 

Proof: Let Alice's input X be uniformly distributed and 
Bob's input be fixed to y\. Let Z be Bob's output and M the 
whole communication. Then Lemma [4] implies that 

H(f(X, yi )\M,UAV)>log\X\-6(elog\X\-h(e)) . 

(18) 

Since Pr[Z ^ f(X, yi)]<e and X o VM o Z, it follows 
from © and that 

H(f{X, yi )\VM) < H{f(X, yi )\Z) <elog\X\ + h(E) . 

(19) 

CD and C[9]l imply, using X «-» C/M <-» Zy K, ® and ©, 
that 

1(17; V|M, U A V) > 7(X; V|M, U AV) 

> I(f(X, yi );V\M,U AV) 
= H(f(X, yi )\M,U AV) 
- H(f(X, yi )\VM,U AV) 
>]og|*|-7(elGg|*|-fc(e)) . 

Let M % := (Mi, . . . , Mj), i.e., the sequence of all messages 
sent until the z-th round. Without loss of generality, let us 
assume that Alice sends the message of the (i + l)-th round. 
Since, we have M l+1 <-» APU O V, it follows from © that 

I(U;V\M i+1 ,U A V) < I(U;V\M\U A V) . 

By induction over all rounds, it holds that 

I(U; V\M, U A V) < I(U; V\U A V) . 

The statement follows. ■ 



The next corollary provides a lower bound on the mutual 
information for implementations of (") -OT fc from a primitive 
Puv- It follows immediately from Theorem |2] 

Corollary 4: If there exists a protocol that implements m 
independent instances of ("J -OT from a primitive Puv with 
an error of at most e in the semi-honest model, then the 
following lower bounds must hold: If t < [n/2\, then 

I(U; V\U A V) > mtk - 7{emtk + h{e)) . 

If t > [n/2\, then 

I(U; V\U AV) > m(n - t)k - 7{em{n - t)k + h{e)) . 

Proof: In the first case, consider the function that is 
obtained by setting the first n — t inputs to a fixed value 
and choosing the remaining t inputs from {0, l} tk for every 
instance of OT. In the second case, we use the fact that 
( 2 ™Z?)~OT k can be obtained from (")-OT fc by fixing 2t-n 
inputs. Thus, both bounds follow from Theorem |2] ■ 

An instance of (^)-OT 1 can be implemented from one 
instance of (J)-OT 1 in the opposite direction ||5T1 . Therefore, 
it follows immediately from Corollary Q] that 

H(V\U) > 1 - 5h(e) - 7e , 

since any violation of this bound would contradict the bound of 
Corollary [3] We will show that a generalization of this bound 
also holds for m independent copies of (?) -OT fe for any n > 
2. Note that we can assume that k = 1. The resulting bound 
then also implies a bound for k > 1 because one instance of 
(^-OT 1 can be implemented from one instance of (^)-OT k . 

Theorem 3: Let a protocol having access to Puv be an e- 
secure implementation of m independent copies of (^-OT 1 
in the semi-honest model. Then 

H{V\U) > mlogn-77i(41ogn + 7)(£ + /i(e)) . 

Proof: Let Alice and Bob choose their inputs X = 
(X\...,X m ) G {0,l}" m , where X i = (X&, . . . , X^), 
and C = (C\...,C m ) G {0,...,n- l} m uniformly at 
random. Let Y = (Y 1 , . . . , Y m ) be the output of Bob at the 
end of the protocol. Let j G {1, . . . , m}. First, we consider 
the jth instance of (")-OT\ Let Ai := X J ® X\, for 
i€ {l,...,n- 1}. From the security of the protocol follows 
that there exists a randomized function Sb(c, x c ) such that for 
aUa= (ai,...,a„_i) G {O.l}"- 1 , 

D(PyCVM\A=ci, Px c CSb(C,X c )) ^ £ ■ 

Hence, the triangle inequality implies that 

D {Pyi CiVM \A=aiPY3 CiVM\A=a>) 

< T)(P Y cVM\A=a,PYCVM\A=a') 

< 2e (20) 

holds for all a, a'. We have Pr[Y j ^ X 3 C \ A = a] < e for 
all a. If A = (0, ... , 0), we have X 3 C = X° . Since X j O 
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VM «-» Y\ it follows from © and © that 

ff(y^|^M,A = (o,...,o))<jr(yj'|x^A = (o,...,o)) 

<ff(Y'|X c , ',A=(0,...,0)) 
<e + /i(e). (21) 

Now, we map C 3 to a bit string of size [log n] . Let C& be the 
6-th bit of that bit string, where b € {0, . . . , [log n] — 1}. Let 
a b = (a\, . . . , o„_i), where af = 1 if and only if the fe-th bit 
of i is 1, Conditioned on A = a , we have Xq = Xq © Cb. 
It follows from X* O VM O Y^', © and © that 

ff(y j © C b \VM, A = a b )< H(Y 3 © C 6 | JTg, A = a b ) 

<e + h(e) . (22) 

By Lemma [U ( f20b and (fJTJ, we obtain 

H(F|yM4) < e + h(e) + 2e + h(2e) < 3e + 3h(e). 
It follows from Lemma Q] (l20l > and d22l that for all 

H(Y 3 © C 6 |FMA) < 3e + 3/i(e) . 

Since (C j ,Y j ) can be calculated from (Y 3 ,Y 3 '®C , Y 3 ® 
C[i og rt]-i), this implies that 

H(C j Y j \VMA) < 3([logn] + l)(e + h(e)) . 

The Markov chain A <-> VM O C J 'Y J ', [logn] < logn + 1 
and inequality © imply that 

H(C j \VM) <3(logn + 2)(£ + /i( £ )) . 

Thus we can use © and © to obtain 

n 

H(C\VM) < ^H(C 3 \VM) 

< 3m(logn + 2)(e + fc(e)) . 
We can use ©, © and Lemmas Q] to obtain 

H{C\UM) = H(V\UM) + H(C\UVM) - H{V\CUM) 

< H(V\UM) + 3m(logn + 2)(e + 

< #(V|t/) + 3m(logn + 2)(e + ft(e)) . 

The security of the protocol implies that there exists a random- 
ized function Sa such that T)(PcSa(X)i Pcum) < £• Using 
Lemma Q] and inequality ©, we obtain that 

(C| J7M) > # (G\ S A (X)) - em log n - h(e) 
> H{C\X) - em log n - h{e) 

■ 

Altogether, Corollary [3] Corollary 2] and Theorem |J| prove 
the following theorem. 

Theorem 4: If there exists a protocol having access to Pjjv 
that implements m instances of (™)-OT fe with an error of at 
most e in the semi-honest model, then 

H(U\V) > m(n - l)k - {An - l)(emk + h(e)) , 
H(V\U) > mlogn-m(4\ogn + 7)(e + h(e)) , 
I(U; V\U A V) > mk - 7emk - 7h(e) . 



Since m instances of (")-OT fe are equivalent to a prim- 
itive P uv with H(U\V) = m(n - l)fc, I(U;V) = mk 
and H(V\U) = to log n, any protocol that implements M 
instances of (^)-0~X K from m instances of (™)~OT with an 
error of at most e needs to satisfy the following inequalities: 

m(n ~ l)k > M(N - 1)K - {AN - l)(eMK + h(e)) , 
mk > MK - leMK - 7h(e) , 
mlogn > MlogN - M(4logN + 7)(e + h{s)) . 

Thus, we get Corollary Q] 

We will now use the proof of Theorem Q] and the smooth 
entropy formalism to derive a lower bound on the conditional 
min-entropy for information-theoretically secure implementa- 
tions of functions f : X xy Z from a primitive Pjjy in the 
semi-honest model. As a motivation, consider the following 
question: is it possible to e-securely implement (^j-OT K 
from (l/2)-RabinOT fc ? Corollary |3]only tells us that K must 
be smaller than or equal to k/2. Our lower bound on the 
conditional smooth min-entropy, however, implies that there 
is no such implementation if K > 2 and < e < 0.25, 
independently of k. 

Let f : X x y — > Z be a function that satisfies dTOb . 
Let Alice and Bob choose their inputs X and Y uniformly 
at random and let M be the whole communication during 
the protocol. For the rest of this section, we assume that 
all parameters are sufficiently small such that the smoothing 
parameters of the smooth entropies are always in [0, 1). 

Lemma 5: If there exists an e-secure implementation of / : 
X x y Z from a primitive Puv m the (weak) semi-honest 
model, then 

H^(X\UM,Y = y) = 0. 

Proof: Since the protocol is secure for Bob, there exists 
a randomized function Sa such that 

V{PxMU\Y=y, PxS A {X)) < £ 

for all y E y. Therefore, for any y, y' 

D(PxMU\Y=y, PxMU\Y=y') < 2e . (23) 

It holds that I(X; Z\UM, Y = y) = 0. Furthermore, we have 
Pr[Z ^ f(X, Y) | Y = y] < e. Thus, Lemmas [T8] and Q2] 
imply that 

W max {f{X,y)\UM,Y = y) < H^(f(X,y)\Z,Y = y) = 0. 

(24) 

Together with ( f23l . this implies that for any y, y' 

H^ ax (f(X,y)\UM,Y = y') = 0. 

Since X can be computed from the values 
f(X,y{), . . .,f(X,y m ), we obtain 

H^(X\UM,Y = y) 

< H^(f(X, Vl ),...f(X, y m )\UM, Y = y) 

< E H^ x (f(X,y / )\UM,Y = y) 
y'ey 

= . 
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where we used Lemma [19] and the subadditivity of the max- 
entropy (Lemma [l4l>. ■ 
Let Pxy be the input distribution to the ideal primitive. 
Then the security of the protocol implies the following lemma. 

Lemma 6: For any protocol that is an £-secure implemen- 
tation of / : X x y — > Z from a primitive Puv m the semi- 
honest model, 

H e JZ'(X\VM) > H< n (X\Yf(X,Y)) , 

for any e' > 0. 

Proof: The security of the protocol implies that there 
exists a randomized function Sb, the simulator, such that 

V(PxYS B (Y,f(x,Y)), Pxyvm) < £■ Therefore, we obtain 

H £ Jn(X\VM) > Hi. a (X\S B {YJ{X,Y))) 
>H< n (X\Yf(X,Y)) , 

where we used Lemma [TTI in the second inequality. ■ 
Theorem 5: Let f : X xy — > Z be a function that satisfies 
( [Tol l. If there exists a protocol having access to a primitive 
Puv that implements / with an error of at most e in the 
semi-honest model, then 

H ^\ +1)eW > maX H< n (X\f(X,y)) , 

v 

for any e' > 0. 

Proof: Let y G y. It follows from Lemmas 151 and [TBI that 

H^ S (X\UVM,Y= y) < H^(X\UM,Y = y) = . 

Therefore, Lemma Q3J and [16] implies that 

H e An (X\VM, Y = y)- H 3 n M%X\UVM, Y = y) 

<H^ +1) ^'(U\VM,Y = y) 

< H^ +1)E+e ' (U\V) . 

We can use Lemma [6] to obtain 

H^ in (X\f(X,y)) < H^(X\VM,Y = y) . 

The statement follows by maximizing over all y. ■ 

A. Lower Bounds for Protocols implementing OT 

Corollary 5: Any protocol that implements M instances of 
(f^)-OT K from m instances of (™)-OT fe with an error of at 
most < e < „/„ 1 , in the semi-honest model must satisfy 

— 2(3n+l) ■> 

m(n - l)k > M(N - l)K - (6n + 2)e . 

Proof: From Theorem [5] follows that 

H^ 1)e (U\V) > M{N ~ l)K . (25) 

For the distribution Pjjy of randomized OTs, the entropy 
H^ in (U\V) with < e < 1 is maximized by the event fl 
with Pn\u=u,v=v = 1 — £ for all u, v in the support of Puv- 
Therefore, we have 

H^ n +1)e (U\V) < - log(2- m ("- 1 ) fc (l - (3n + l)e)) 

= m(n - l)k - log(l - (3n + . (26) 



The statement follows from the fact that log(l/e) < 2(1 — e) 
forl/2<£<l. ■ 

This corollary implies that there is no protocol that extends 
(:)-OT in the semi-honest model. 

Corollary 6: Any protocol that implements m + 1 instances 
of (i)-OT 1 in the semi-honest model using m instances of 
(J)-OT 1 must have an error e > 1/14. 

B. Lower Bounds for Equality Function 

Corollary 7: Let a protocol having access to a Puv be an 
e-secure implementation of EQ„ in the semi-honest model. 
Then 

H(U\V) > (1 - e)k - (3 • 2 k - l)(s + h(e)) - 1 , 

and 

H { ^f +1)E (U\V)>k-U 

for all < k < n. If < e < 1/(6 • 2 k + 2) and P uv is 
equivalent to m instances of (J)-OT , then 

m > k - 1 - (6 • 2 k + 2)e , 

for all < k < n. 

Proof: We can restrict the input domains of both players 
to the same subsets of size 2 k . Condition (fTOb will still 
be satisfied. Thus, the corollary follows immediately from 
Theorems [T] and [5] ■ 
There exists a secure reduction of EQ n to EQ^ ( ||34l ): Alice 
and Bob compare k inner products of their inputs with random 
strings using EQfe. This protocol is secure in the semi-honest 
model with an error of at most 2~ k . Since there exists a 
circuit to implement EQ^, with k XOR and k AND gates, 
it follows from [3| that EQ^ can be securely implemented 
using k instances of (^)-OT 1 or 3A; instances of (^)-OT 1 
in the semi-honest model. Since m instances of (J)-OT 1 
are equivalent to a primitive Puv with H(U\V) — m, the 
bound of Corollary [7] is optimal up to a factor of 3. We can 
improve the above construction with the following protocol 
that computes additive shares of (xi ® y\) A (x2 S3 2/2) using 
two instances of (^)-OT 1 : Alice chooses two random bits 
ri,r2 and inputs r\,r\ x\ to the first and ri^r^ © X2 to 
the second instance. Bob uses 7/2 as the choice bit for the first 
and yi as the choice bit for the second instance of OT. Bob 
receives two outputs Z\ = r% ® x\y 2 and z 2 = r 2 © x 2 yi- 
Setting a = n © r 2 © xix 2 and b = z\ © z 2 © yiy 2 , we have 
a©6 = xix 2 ®yiy 2 ®xiy 2 ®x 2 yi = (xi®yi)A(x 2 ®y 2 ). Thus, 
we can compute EQ^ with 2(k — 1) instances of (^)-OT 1 . 

C. Lower Bounds for Inner Product Function 

Corollary 8: Let a protocol having access to a primitive 
Puv be an £-secure implementation of the inner product 
function IP„ in the semi-honest model. Then it holds that 

H(U\V) > n - 1 - 4n(£ + h(e)) 

and 

^• fc n +1)£ (^l^)>"-l. 
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If Pjjv is equivalent to m instances of (?) -0T 1 and < e < 
l/(6rc + 2), then 

m > n — 1 — (6n + 2)e . 

Proof: Let € {0, 1}" be the string that has a one at 
the i-th position and is zero otherwise. Let S := {e^ : 1 < 
i < n}. Then the protocol is an e-secure implementation of 
the restriction of the inner-product function to inputs from 
{0, 1}™ x S. Since this restricted function satisfies condition 
dTol l. the statement follows from Theorem Q] ■ 
If e < l/(8n), then it immediately follows from Corollary [8] 
that we need at least n — 2 calls to (J)-OT 1 to compute IP ra 
with an error of at most e. Consider the following protocol 
from [34 1 that is adapted to (^)-OT 1 : Alice chooses r = 
(ri, . . . ,r n -i) uniformly at random and sets r n :— <5)™Zi r i- 
Then, for each i, Alice inputs a^.o := r% and a^.i := Xi © n 
to the OT and Bob inputs yi. Bob receives Zi from the OTs 
and outputs ©? =1 Zi. Since ®" =1 Zi = ©? =1 (a;ijft © n) = 
(8? =1 Xij/i) © (©" =1 ri) = ffi? =1 Xij/i = IP„(x,y), the pro- 
tocol is correct. The security for Alice follows from the 
fact that z\ , . . . , z n is a uniformly random string subject to 
ffi™ =1 Zi = \P n (x,y). Thus, there exists a perfectly secure 
protocol that computes IP„ from n instances of (?)~OT . 
Hence, Corollary [8] is almost tight. 

D. Lower Bounds for Protocols implementing OLFE 

We will now show that Theorems [T] and [2] also imply bounds 
for oblivious linear function evaluation ((q)-OLFE), which is 
defined as follows: 

• For any finite field GF(q) of size q, (q)-OLFE is the 
primitive where Alice has an input a, b e GF(q) and Bob 
has an input c <= GF(q). Bob receives d = a + b ■ c E 
GF(q). 

Corollary 9: Let a protocol having access to Pjjy be an 
e-secure implementation of m instances of (q)-OLFE in the 
semi-honest model. Then 

H(U\V) > mlogq - 5(emlogq + h(e)) , (27) 
H(V\U) > mlogq - 5(emlog<j + h(ej) , (28) 
I(U; V\U A V) > mlogq - 7 (em log q + h(s)) . (29) 

Proof: Inequalities $T7l and ( 1291 follow from Theorem Q] 
and Theorem |2] Furthermore, it has been shown in [51] that 
(q)-OLFE is symmetric. Hence, a violation of d28l would 
imply a violation of the lower bound in (|27T i. ■ 

E. Lower Bounds for OT in the Malicious Model 

In Appendix [A] we show that lower bounds in the semi- 
honest model imply almost the same bounds in the malicious 
model. In the following, we generalize these results by al- 
lowing a dishonest Bob to additionally receive randomness 
V . Moreover, the following provides a stronger impossibility 
result, in the case when V' is trivial, than the one that follows 
from the combination of Lemma IA.1I and Theorem [5] 

Corollary 10: Let a protocol be an e-secure implementa- 
tion of ( 1 )-OT" in the malicious model from randomness 



(U, W). Then 

H^ n (U\VV) > k . 

Proof: We consider only honest players, but allow the 
simulator to change the inputs to the ideal OT and the outputs 
from the ideal OT. Lemma [5] holds in the weak semi-honest 
model and, therefore, also in the malicious model. Thus, we 
have H^ X (X\UM,C = c) = , where C is the choice bit 
of Bob. The security of the protocol implies that there exists 
a randomized function Sb such that 

D(Pxs B (c,x e ), Pxvvm) < e, (30) 

where C is the input to the ideal OT by the simulator. 
Therefore, we get 

H^ in (X\VV'M,C= c) > H min (X\S B (c,X d )) 

> H min (X\X d ) 

> k . 

As in the proof of Theorem [5] this implies 

k < H^ n (X\VV'M,C = c) < H^ in (U\VV) . 

■ 

In the same way, we can show that the impossibility result 
for implementations of (J)-OT fc that follows from Theorem Q] 
also holds in the malicious model. 

Corollary 11: Let a protocol be an e-secure implementa- 
tion of (J)-OT' in the malicious model from randomness 
(U,W). Then 

H(U\VV') > k-6(ke + h(e)) . 

Proof: Since Lemma[3]also holds in the malicious model, 
inequality (O implies that 

H(X\UVV'M, C = c) < H(X\UM, C = c) 
< 4(fee + h(e)) . 

We can use inequalities ([T]) and ( f30b to obtain 

H(X\VV'M, C = c)> H(X\S B (c, X )) -s- 2k- h{e) 
>H{X\X e )-e-2k-h(e) 
>k-e-2k- h(e) . 

As in the proof of Theorem Q] this implies 

H{U\VV') >k-6{ke + h{e)). 

■ 

Corollary [TOl can be applied to implementations of (^)-OT fe 
from Universal OT over bits. Universal OT [21] is a weakened 
variant of Bit-OT where a dishonest Bob can choose a chan- 
nel P Y \ X such that H{XqX x \Y) > a, where {X ,Xi) G 
{0,1} x {0,1} are uniform and Y is the output of the 
channel Py\x> an d learns Y. One choice of a dishonest 
Bob is the channel that outputs both inputs with probability 
1 — a and one of the inputs, X c , with probability a. This 
primitive can be implemented from randomness (U, VV) = 
((Xq, Xi), (C, Xc, V')), where (U, V) corresponds to a ran- 
domized (^)-OT 1 and V' = Xi-c with probability 1 — a and 
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V = _L otherwise. For this primitve we have H(U\VV) < a 
and, therefore, for n independent instances H(U n \(VV') n ) < 
an. Thus, Corollary [Tol implies that k < an + 6(ke + h(e)). 
As Univeral OT is strictly weaker than this primitive, the same 
bound also applies to Universal OT. The protocol proposed in 
[35 1 which implements ( 2 )-OT fc from n instances of Universal 
OT asymptotically achieves a rate k/n of a ll52l . Our lower 
bound now shows that this is in fact optimal. 

IV. Quantum Reductions: Reversing String OT 
Efficiently 

As the bounds of the last section generalize the known 
bounds for perfect implementations of OT from (28l . ifTTI . 
|[T2l . [30 1 to the statistical case, it is natural to ask whether 
similar bounds also hold for quantum protocols, i.e., if the 
bounds presented in [53] can be generalized to the statistical 
case. We give a negative answer to this question by pre- 
senting a statistically secure quantum protocol that violates 
these bounds. Thereto we introduce the following function- 
ality 

•^mcom tnat can be implemented from J- 0T ' (i.e., 
(™)-OT fc ) as we will show. 
Definition 5 (Multi-Commitment): The 

-r-A-^B.k 



functionality 

behaves as follows: Upon (the first) input (commit, 
b) with b E {0, l} k from Alice, send committed to Bob. 
Upon input (open, T) with T C [k] from Alice send (open, 
br) to Bob. All communication/input/output is classical. We 
call Alice the sender and Bob the receiver. 

An instance of Q-OT can be implemented from m = 
0(k + k) bit commitments with an error of 2~ n(K) (24), (25), 
[26 1. In the protocol, Alice sends m BB84-states to Bob who 
measures them either in the computational or in the Hadamard 
basis. To ensure that he really measures Bob has to commit to 
the basis he has measured in and the measurement outcome 
for every qubit received. Alice then asks Bob to open a small 
subset T of these pairs of commitments. OT can then be 
implemented using further classical processing (see Section 
rVTl for a complete description of the protocol). This protocol 
implements oblivious transfer that is statistically secure in the 
quantum universal composability model (27). Obviously the 
construction remains secure if we replace the commitment 
scheme with J- MCm 

Next, we show that •F MC ^' fc can be implemented from 
the oblivious transfer functionality F^j^ B ' k (see (27l for a 
definition of T^ B ' k ) using Protocol MCOMfromOT. 

As it is done in the proofs of (27), we assume that all 
communication between the players is over secure channels 
and we only consider static adversaries. 

Lemma 7: Protocol MCOMfromOT is statistically secure 



and universally composable and realizes J 7 ,, 



A-^B.k 



with an 



error of 2 _K / 2 using k instances of 

Proof: The statement is obviously true in the case of no 
corrupted parties and in the case when both the sender and 
the receiver are corrupted. We construct for any adversary 
A a simulator S that runs a copy of A as a black-box. In 
the case where the sender is corrupted, the simulator S can 

6 ln this section we will use the notion commonly used in the UC framework, 
that is slightly different from the rest of the paper. 



Protocol MCOMfromOT 

Inputs: Alice has an input b = (bi, . . . , b&) E {0, l} fe in 
Commit. Bob has an input T C [k] in Open. 
Commit (b) : 
For all 1 < i < n: 

1) Alice and Bob invoke J : §^ fB ' k with random inputs 
xl,x\ E {0, l} fc and c l E {0, 1} 

2) Bob receives y 



x 1 i from J r ^~' B ' k . 



3) Alice sends m 1 :— Xq © x\ © b to Bob. 
Open(T): 

1) Alice sends &t, T and (xq)t, (%\)t for all 1 < i < k 
to Bob. 

2) If (m l ) T = (4 © x\ © 6') T and (tf) T = (x*) T for 
all 1 < i < K, Bob accepts and outputs bx, otherwise 
he rejects. 



extract the commitment b from the input to T^ B,k and 
the messages except with probability 2~ K / 2 as follows: We 
define the extracted commitment as b L := maj(mj © a; J i © 
x\ j, . . . , mf ©Xq i®Xi j) for all 1 < i < k where maj denotes 
the majority function. Let T be a (non-empty) subset of [k] and 
let b £ {0, l} fe such that bj- ^ bf. An honest receiver accepts 
bf together with T in Open with probability at most 2~ K / 2 
as follows: There must exist j E T such that bj ^ bj. Then 
the sender needs to change either x z Q j or x\ j for at least k/2 
instances i. Thus, the simulator extracts the bit b in the commit 
phase as specified before and gives (commit, b) to Fncow*' k - 
Upon getting (b, T) from the adversary, the simulator gives 
(open, T) to J-w^ B,k , if b~r — i>T, otherwise it stops. 
Therefore, any environment can distinguish the simulation 
and the real execution with an advantage of at most 2 _K / 2 . 
In the case where the receiver is corrupted, the simulator 
S, upon getting the message committed from F^con^ 
and the choice bit c l , chooses the output y l from FQ^ B,k 
and the message ni 1 uniformly and independently at random 
for all i. In the open phase the simulator S gets (T, bf) 
and simulates the messages of an honest sender by setting 
(x\_ ci ) T ■= (^) r ©(y l )r®V and (a&) r := (y*)r for all 
i. This simulation is perfectly indistinguishable from the real 
execution. ■ 

Any protocol that is statistically secure in the classical 
universal composability model [54] is also secure in the 
quantum universal composability model (27). Together with 
the proofs from (261 . (271 . we, therefore, obtain the following 
theorem. 

Theorem 6: There exists a protocol that implements 
( 1 )-OT with an error s from k = (9(logl/e) instances 
of Q-OT in the opposite direction where k' = Q,{k) if 
k = Q(k). 

Since we can choose k ^> k, this immediately implies that 
the bound of Corollary |3]does not hold for quantum protocols. 
Similar violations can be shown for the other two lower bounds 
(given in Corrollary [fl. For example, statistically secure and 
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universally composablqj commitments can be implemented 
from shared randomness Pjjv that is distributed according to 
(p)-RabinOT at a rate of H(U\V) = l-p (56). Using The- 
orem QT| one can implement F§^ A ' k with k £ Q(n(l — p)) 
from n copies of Pjjv- Since I(U; V) = p, quantum protocols 
can also violate the bound of Corollary |4] 

It has been an open question whether noiseless quantum 
communication can increase the commitment capacity |56|. 
Our example implies a positive answer to this question. 

V. Impossibility Results for Quantum Oblivious 
Transfer Reductions 

We consider finite-dimensional Hilbert spaces H. A quan- 
tum state p is a positive semi-definite operator on H satisfying 
tr(p) = 1. We use the notation pab for a state on Ha ® Hb 
and define the marginal state pa ■= tiB pab- We use the 
symbol 1 A to denote either the identity operator on Ha or 
the identity operator on the states on Ha', it should be clear 
from the context which one is meant. Given a finite set X 
and an orthonormal basis {|x) | x £ X} of a Hilbert space 
^ we can encode a classical probability distribution Px 
as a quantum state px — YlxeX (x)\x) (x\. We define 
the state corresponding to the uniform distribution on X as 

T x : = ppj ^2xex \ x ) ( x \- A stat e Pxb on H x ® H B is a 
classical-quantum or cq-state if it is of the form pxb = 
^2 xeX Px\x)(x\ (g> p x B . The Hadamard transform is the unitary 
described by the matrix H = ( \ \ ) in the computational 
basis {|0),|1)}. For x,9 £ {0,1}™, we write H e \x) for the 
state H e \x) = H Sl \x\) ■ . . H e " \x n ). We also call states of this 
form BB84-states. When speaking of the basis £ {0, 1}" 
we mean the basis {H e \x) \ x £ {0,1}"}. For a given 
basis {|xi), . . . , \xd)} we say that we measure in basis B to 
indicate that we perform a projective measurement given by 
the operators P^ = \xk)(xk \ for all k £ [d]. The trace distance 
between two quantum states p and r is defined as 

D(p,r) :=vattxD(8(p),£(T)) . 

where the maximum is over all POVMs and £(p) is the proba- 
bility distribution of the measurement outcomes. In particular, 
for any two cq-states pxA and axA, ^>{pxa,o'xa) < £ 
implies that for any measurement G on system A, we have 

| Pt[G( Pa ) = X]- Pi[G(a A ) =X]\<e. (31) 

If we choose axA '■= tx ® this implies that 

Pt[G( Pa ) = X] < i + e . (32) 
The conditional von Neumann entropy is defined as 

H(A\B) P :=H(pab) -H(pb) , 

where H(p) := tr(— plog(p)). The Alicki-Fannes inequality 
||57l implies that 

H{A\B) P > (1 - 4e) • log |A| - 2h(e) , (33) 

7 Stand-alone statistically secure commitments based on stateless two-party 
primitives are universally composable 1551 . 



for any state pab with ^>{pab, t a ® Pb) < £• Let pxs be a 
state that is classical on X. If there exists a measurement on 
B with outcome X' such that Pi[X' ^ X] < e, then 

iJ(X|B) p < H{X\X') < h(e) + e ■ log |X| . (34) 

Let pabc be a tripartite state. Subadditivity and the triangle 
inequality ll58l imply that 

H{A\BC) P > H(A\B) P -2H{C) P . (35) 

The conditional entropy H(A\B) P can decrease by at most 
log \Z\ when conditioning on an additional classical system 
Z, i.e., for any tripartite state pabz that is classical on Z 
with respect to some orthonormal basis {|;z)} z e,2, we have 

H{A\BZ) p >H{A\B) p -\og\Z\. (36) 

The next lemma can be obtained by applying the asymptotic 
equipartition property to the corresponding lemma for the 
smoothed min-entropy in (59). It shows that the entropy 
H(A\BC) P cannot increase too much when a projective 
measurement is applied to system C. 

Lemma 8: Let pabc be a tri-partite state. Furthermore, let 
M. be a projective measurement in the basis {|z)} 2(E ,z on C 
and pabz ■= (Iab ® M){pabc)- Then, 

H{A\BC) P > H{A\BZ) P - log \Z\ . 



A. Security Definition 

A protocol is an e-secure implementation of OT in the 
malicious model if for any adversary A attacking the protocol 
(real setting), there exists a simulator S using the ideal OT 
(ideal setting) such that for all inputs of the honest players 
the real and the ideal setting can be distinguished with an 
advantage of at most e. This definition implies the following 
three conditions (see also |60|): 

• Correctness: If both players are honest, Alice has random 
inputs (X ,Xi) £ {0, l} k x {0,1}* and Bob has input 
c £ {0, 1}, then Bob always receives X c in the ideal 
setting. This implies that in an e-secure protocol, Bob 
must output a value Y, where 

Pr[y + X c ] < e . (37) 

• Security for Alice: Let Alice be honest and Bob ma- 
licious, and let Alice's input be chosen uniformly at 
random. In the ideal setting, the simulator must provide 
the ideal OT with a classical input C' £ {0, 1}. He 
receives the output Y and then outputs a quantum state 
<tb that may depend on C' and Y. The output of the 
simulator together with classical values Xq, Xi and C' 
now defines the state crx XiBC'- Since X\-c' is random 
and independent of C' and Y, we must have 

VX 1 _ C ,X C ,BC — 7T{o,l}<= ®<Jx c ,bc (38) 

and 

D(crx XiB, PXoXxB) < £ , (39) 
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where px XiB is the resulting state of the protocol]! 
• Security for Bob: If Bob is honest and Alice malicious, 
the simulator outputs a quantum state a a that is inde- 
pendent of Bob's input c. Let p c A be the state that Alice 
has at the end of the protocol if Bob's input is c. The 
security definition now requires that D(er^, p c A ) < e for 
c e {0, 1}. By the triangle inequality, we get 

D(p A ,p\)<2e. (40) 

Note that the Conditions d37l i - d40b are only necessary for 
the security of a protocol, they do not imply that a protocol 
is secure. 

In the following we present two impossibility results for 
quantum protocols that implement (?)-OT using a bit com- 
mitment functionality or randomness distributed to the players. 
We consider protocols which are information-theoretically se- 
cure. In particular, we assume that the adversary has unlimited 
memory space and can apply arbitrary quantum operations to 
his whole quantum system. Our proofs use similar techniques 
as the impossibility results in [37 1, [38], [39|. 

We assume that the two parties, Alice and Bob, have access 
to a noiseless quantum and a noiseless classical channel. 
The protocol proceeds in rounds, where in any round of 
the protocol, the parties may perform an arbitrary quantum 
operation on the system in their possession. This operation 
can be conditioned on the available classical information and 
generates the inputs to the communication channels. The 
quantum channel transfers a part of one party's system to 
the other party. The classical channel measures the input in a 
canonical basis and sends the outcome of the measurement to 
the receiver. We assume that the total number of rounds of the 
protocol is bounded by a finite number. Since we can always 
introduce empty rounds, this corresponds to the assumption 
that the number of rounds is equal in every execution of the 
protocol. 

All quantum operations of both parties can be purified 
by introducing an additional memory space: Any quantum 
operation £ can be simulated by adding an ancillary system, 
applying a unitary on the composite system, and then tracing 
out part of the remaining system. More precisely, for any 
TP-CPM £ from S = {H A ) to S={U B ), there exists a Hilbert 
space Hr, a unitary U acting on Wabr and a pure state 
a br € S = (Hbr) such that 

£{ PA ) = tr AR (C/(pA <8 (TBR)rf). (41) 

This is known as the Stinespring dilation ||6T| of £ . Thus, we 
can assume that the parties apply in every round of the protocol 
a unitary to their system conditioned on the information shared 
over the classical channel. In particular, we can assume that the 
system remains in a pure state conditioned on the information 
shared over the classical channel if the initial state of the 
protocol is pure. Since a malicious player can purify all his 

8 The standard security definition of OT considered here requires Bob's 
choice bit to be fixed at the end of the protocol. To show that a protocol 
is insecure, it suffices, therefore, to show that Bob can still choose after the 
termination of the protocol whether he wants to receive xq or x\. Lo in ['39 1 
shows impossibility of OT in a stronger sense, namely that Bob can learn all 
of Alice's inputs. 



quantum operations in the original protocol without being 
detected, the purified protocol is secure according to our 
definition if the original protocol is secure. 

An important tool in our impossibility proofs is the fol- 
lowing technical lemma from |59|, which generalizes a result 
already used in 11371. 11381, ll39l. 

Lemma 9: For b € {0, 1}, let 

Pxx'AB =^2 p b(x)\x){x\ x ® \x)(x\ x , ® \iPab)(iI> A b\ 

x 

with D(p x , B , Px'b) — £ - Then there exists a unitary Uax 
such that 

V(p'xx'Ab,Pxx'Ab) < ^2e 

where p' XX 'AB = ( U XA ® ^X'b)p°xx'Ab( u xa ® lx's) f - 

First, we consider protocols where the players can use a 
certain number n of ideal bit commitments as a resource to 
implement an oblivious transfer. 

Theorem 7: Any protocol that implements a (?)~OT with 
an error of at most e , where < e < 0.002, from black-box 
bit commitments, has to use at least (1 — 3y/s) ■ k — 3h(y/e) 
bit commitments. 

Proof: Let tia be the number of bit commitments from 
Alice to Bob and ub the number of bit commitments from 
Bob to Alice used in the protocol and n = ua + Ub- Let 
Alice choose her inputs Xq and X\ uniformly at random. Let 
the final state of the protocol on Alice's and Bob's system be 
Pab> wnen both players are honest and Bob has input c G 
{0, 1}. If Bob is executing the protocol honestly using input 
c = 1, he can compute X\ with an error of at most 1 — e. 
Since the protocol is e-secure for Alice, we can conclude from 
Lemma |20l that T)(p Xa BT T Xo ® Pb) — ^ £ ■ Equation d33l ) 
implies that 

H(X a \B) p i > (1 - 20e) ■ k - I0h{e) . (42) 

In the following, we consider a modified protocol that does 
not use the bit commitment functionality and is not necessarily 
secure for Alice. In this protocol we make Bob more pow- 
erful in the sense that he can simulate the original protocol 
locally. Thus, the modified protocol is still secure for Bob. 
Furthermore, the resulting state is pure conditioned on the 
classical communication. Therefore, we can apply Lemma [9] 
to derive an upper bound on the entropy of Xq conditioned on 
Bob's system in the new protocol. Finally, we use the data- 
processing inequalities for the conditional entropy to show that 
this entropy can have decreased in the modified protocol by 
at most the number of commitments, which, together with 
inequality d33l , implies the statement of the theorem. 

In the modified protocol, Alice, instead of sending bits to the 
commitment functionality, measures the bits to be committed, 
stores a copy of each and sends them to Bob, who stores them 
in a classical register, Ca- When one of these commitments is 
opened, he moves the corresponding bit to his register B. Bob 
simulates the action of the commitment functionality locally 
as follows: Instead of measuring a register, Y, and sending 
the outcome to the commitment functionality, he applies the 
isometry U : \y) Y l ~ >> lz/J/)yy purifying the measurement of 
the committed bit and stores Y' in another register, Cb ■ When 
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Bob has to open the commitment, he measures Y' and sends 
the outcome to Alice over the classical channel. The state 
of the modified protocol is pure conditioned on the classical 
communication. Let p c ABC , where C stands for CaC b , be the 
final state of this protocol. Note that its marginal state p AB 
is the corresponding state at the end of the original protocol. 
Since the protocol is e-secure for Bob, we have D(p A , p A ) < 
2e. From Lemma [9] follows that there exists a unitary U bc 
such that Bob can transform the state p 1 into the state p° with 
D(p°,p°) < 2y / e. Since given the state p a XaB , Xq can be 
guessed from p° B with probability 1 — e, it follows from (l3T1 i 
that Xq can be guessed from p BC with a probability of at 
least 1 — £ — 2y / e. By inequality d34l i. we obtain 

H(X Q \B) p i < h{e) + h(2y/e) + (e + 2y/e) ■ k . (43) 

We can use Lemma [8] and inequality (f36l > to conclude that 

H(X Q \BC A C B ) p i > H(X \B) p i - n . 

For e < 0.002, we have h(y/s) > llh(e) and 21e < y/e. This 
implies the statement. ■ 

Theorem [7] implies that there exists a constant c > such 
that any protocol that implements to+1 bit commitments from 
to bit commitments must have an error of at least c/m, i.e., 
bit commitment cannot be extended by quantum protocols. 
This result can be generalized in the following sense: For 
any protocol that implements a single string commitment 
from a certain number of bit commitments, the length of the 
implemented string commitments is essentially bounded by 
the number of used bit commitments, even if the protocol is 
allowed to have a small constant error 



Next, we consider protocols where the two players have ac- 
cess to distributed randomness Pjjv- We can model this prim- 
itive as a quantum primitive J2 U v y/ Puv{u,v) ■ \u,v) uv ® 
\u,v) E that distributes the values u and v to Alice and Bob 
and keeps the register E. 

Theorem 8: To implement a (^)-OT fe with an error of at 
most e, where < e < 0.002, from a primitive Puv> we need 

H max (U\V) + H m ^{V\U) > (1 — 3\/e) ■ k - 3h(Vi) , 

and 

2H(UV) > (1 - 3V£) • * - 3/i(V?) . 

Proof: Let the final state of the protocol on Alice's and 
Bob's system be p^ s , when both players are honest and Bob 
has input c e {0, 1}. As in the proof of the previous theorem 
we have 

H(X \B) p i > (l-20e)-fc-2ft(5e) > (l-20e)-fc-10/i(e) . 
Consider a modified protocol that starts from a state 
^2V p uv(u,v) ■ \u,v) l 



'UVU'V 



'UV 



u,v 



U'V ' 



where the systems V and U'V belong to Bob. Again Bob 
is more powerful in the modified protocol because he can 
simulate the state of the original protocol locally. As in (|43l in 
the proof of the previous theorem we can, therefore, conclude 



that 

H(X \BU'V') p i < h(e) + h(2^) + (e + 2y/i) ■ k . 

Since measuring register V' and discarding register U' results 
in the state Px b> we can use Lemma [8] and inequality (l36b 
to obtain 

H(X Q \BU'V') p i >fl-(Xo|BV-nuaIog|sapp(iV|v=»)| 

V 

-maxlog|supp(Py|;7 =u )| . 

This implies the first statement. The second statement follows 
from the inequality 



H(X \BB') p i > H(X \B) p i — H(B') 



(44) 



which is implied by ( 1351 1. ■ 
The theorem immediately implies the following corollary. 

Corollary 12: To implement a (J)-OT fc with an error of at 
most e, where < e < 0.002, from n instances of (?)-OT 
in either direction, we must have 

2n > (1 - 3Ve) • k - 3h{y/e) . 

Theorem [8] implies that (^)-OT 1 cannot be extended by 
quantum protocols in the following sense: Given a protocol 

from; 



1 instances of i 



to instances 



that implements to-, . ,,, , , ( ,. 
of (i)-OT 1 with an error e, we can apply this protocol 
iteratively and implement 4to instances of (^)-OT 1 from to 
instances of (J)-OT 1 with an error of s' := 3me, assuming 
that Bob follows the protocol. Thus, Corollary [T2]implies that 
12Ve 7 +3/i(%/e 7 )/TO > 2 if s' < 0.002. Thus, e' > 0.002 and 
£ > i50o m ■ Hence, any quantum protocol that implements 
to + 1 instances of (^)-OT 1 from m instances of (^)-OT 1 
must have an error of at least 
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The second bound of Theorem [8] also holds for more gen- 
eral primitives that generate a pure state \i^)abe^ distributes 
registers A and B to Alice and Bob and keeps the purification 
in its register E. 

Theorem 9: To implement a (J)-OT fc with an error of at 
most £, where < e < 0.002, from a primitive ABE , we 
need 

2H(E) t / J > (1 - 3Ve) • k - 3h(y/e) . 

The proof of Theorem [9] follows exactly the same reasoning 
as Theorem [S] and is omitted. 

Next, we give an additional lower bound for reductions of 
OT to commitments that shows that the number of commit- 
ments (of arbitrary size) used in any e-secure protocol must be 
at least f2(log(l/e)). We model the commitments as before, 
i.e., the functionality applies the isometry U : \y) Y *-> \w)yy' 
and stores YY' in separate registers Ea and E B for Alice and 
Bob. The proof idea is the following: We let the adversary 
guess a subset T of commitments that he will be required to 
open during the protocol. He honestly executes all commit- 
ments in T, but cheats in all others. If the adversary guesses 
T right, he is able to cheat in the same way as in any protocol 
that does not use any commitments. 

Theorem 10: Any quantum protocol that implements 
(J) -OT fc using k commitments (of arbitrary length) must have 
an error of at least 2 _K /36. 
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Protocol OTfromCommitment 

1) Alice prepares m EPR pairs, (|00) + |ll>)/>/2, and 
sends one qubit of each pair to Bob. Bob selects 9 G 
{0, l} m at random and measures the received qubits 
in basis 9, obtaining x G {0, l} m . Alice chooses a 
basis 9 G {0, l}" 1 at random (but does not measure 
her qubits yet). 

2) Bob commits in blocks of size b to 9 and x. Alice 
samples a random subset t C [k] of cardinality 
an and asks Bob to open the commitments to the 
corresponding blocks of values (9 il Xi). Let T be the 
set of bits in [m] corresponding to t. Alice measures 
her qubits indexed by T in Bob's basis 9 t to obtain 
x t and verifies that a;j = whenever 6*^ = 0j. If 
Bob does not commit to all values as required or 
does not open all commitments or if Alice detects 
an inconsistency, Alice outputs outputs two random 
A: -bit strings Zo,Z\ and terminates the protocol. 

3) (Set partitioning) Alice sends 9 to Bob. Bob par- 
titions T := [m] \ T into the subsets I c — {i G 
f : 9t = k) and /i_ c = {i G f : 0< ^ 
and sends Jo and I\ to Alice. Additionally, Alice 
measures her qubits in basis 9 to obtain x. 

4) (Key extraction) Alice chooses and sends to Bob 
two-universal hash functions f , f\ with output 
length k, and computes z$ := fo(xj ) and z\ := 
f\(xi x ). Bob computes z c = f{x Ia ). 



Proof: We define e := 2~ K /36. Let Pabe a e b ^ e tne ^ na ^ 
state of an e-secure protocol, when both players are honest and 
Bob has input c G {0, 1}. We distinguish two cases. In the 
first case, we assume that D(/9^ B , p\ Ea ) > e' := 1/18 . 
We let Bob be honest and let Alice apply the following 
strategy: She chooses a random subset T of [k]. She executes 
all commitments in T honestly, but for all commitments not 
in T she sends |0) to Ea and simulates the action of the 
commitment functionality in her quantum register. Otherwise, 
she follows the whole protocol honestly. 

During the execution of the protocol, Bob may ask Alice to 
open a certain set of commitments, T'. If T' = T, which 
happens with probability 2~ K independently of everything 
else, then at the end of the protocol the global state is p c , 
but Ea is now part of Alice's system. Thus, the states of 
Alice's system for c = and c = 1, have distance at least 
e' ■ 2~ K > 2e, which contradicts condition (T40b . 

In the second case, we assume that D(pae A ' Pae a ) < £ ' '■ 
From condition (|37| | follows that honest Bob can guess X% 
with probability 1 — £ if c = 1. According to Lemma l20l Xq 
should be 5e-close to uniform with respect to p\. To obtain a 
contradiction to the security condition ((39), it is according to 
equation ( 1321 sufficient to show that Bob can guess the first 
bit of X with a probability greater than 1/2 + 5e. 

Again, if Bob guesses the set T right, then Eb is part of 
Bob's system. Then Lemma [9] guarantees the existence of a 
unitary Ube b such Bob can transform the state p 1 into a state 
p 1 with D(p°,p 1 ) < y/2p. Thus, Bob can guess Xo with an 
error of at most v / 2e' + e given p 1 . If he fails to guess T, he 
simply outputs a random bit as his guess for the first bit of Xo. 
Since the probability that he guesses the subset T correctly is 
exactly 2~ K , he can guess the first bit of Xq with probability 

(1 - 2~ K ) ■ - + 2~ K ■ (1 - e - V2lF) 

^ + 2 -.(i- e -V5?) 

> I + 2~ K • f I - e'/2 - V21 7 ) 



VI. Reduction of OT to String Commitments 

We will now show how to construct a protocol that is 
optimal with respect to the lower bounds of both Theorem |7] 
and Theorem [TOl 

We modify the protocol from [24] by grouping the m pairs 
of values into k blocks of size b := m/n. We let Bob commit 
to the blocks of b pairs of values at once. The subset T is 
now of size an, and defines the blocks to be opened by Bob. 
If Bob is able to open all commitments in T correctly, then 
the state of the protocol must be close in a certain sense 
to the state that would result from correctly measuring all 
qubits. Since we consider security in the malicious model, a 
dishonest player may abort the protocol by not sending any 



message. A possibility to handle this would be to include a 
special output aborted to the definition of the primitive. 
Here, we take the following, different approach, which is also 
used, for example, in ll62l : Whenever a player does not send a 
(well-formed) message, the other player assumes that a fixed 
default message as, for example, the all-zero string has been 
sent. Note that our protocol is different from the protocols 
analyzed in [26], [63]. Besides replacing the bit commitments 
by strings commitments, Alice outputs two random strings if 
Bob aborts in the commitment or in the check step. This allows 
us to implement an ideal OT functionality that does not have 
a special output aborted. 

We only need to estimate the error probability of the clas- 
sical sampling strategy that corresponds to the new checking 
procedure of Alice and apply the result from [63]. We need 
the following sampling result, which follows from Lemma 5.5 
in 1 64 1 and Hoeffding's inequality [65|. 

Lemma 10: Let a G [0, Let y — (yi, . . . y m ) be a bit 
string of length rn :=bn that we group into k blocks of size b. 
Let t be a random subset of [k] of size an, T the corresponding 
set of bits in [m] and T the complement of T. Let T' be a 
random subset of T, where every element is chosen to be in 
T' with probability |, independently of everything else. We 
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have for any S > 



Pr 



1 

rn 



ieT' 



< 



(1 



aim 



ieT 



< e 



where e := 3exp(-(l/2 - e)ari5 2 /8. 

Lemma 11 (Security for Alice): Let Z and be the 
strings from {0, l} fe output by Alice. Then there exists a binary 
C such that for any e, 8 > the following upper bound on 
the distance from uniform of Z\-c with respect to Zc and 
Bob's system holds: 

< 2-5((3- £ / 2 -' l (' 5 ))( 1 - t:, ) m - fc )-l 

+ 2exp(-2e 2 (l - a)m) 

+ V3cxp(-a'K(5 2 /16) , (45) 

where E denotes the quantum state output by Bob, 1 the 
identity operator on C 2 and a' := (1/2 — S)a. 

Proof: We consider the state shared between Alice and 
Bob after Bob has committed to the bases 9 and the measure- 
ment outcomes x where we can assume 9 = x = (0, . . . , 0). 
Since we want to prove an upper bound on (l45l l. we can 
assume that Bob always opens all commitments. Otherwise 
the distance from uniform can only decrease. Alice now 
chooses a subset T to be opened by Bob. As in the proof of 
Theorem 4 from ll66l . Lemma [TOl implies that the joint state 
is y/3exp(— a'K<5 2 /16)-close to an ideal state that is for every 
choice of T and S in a superposition of states with relative 
Hamming weight in a ^-neighbourhood of f3 within Af, where 
j3 is the number of inconsistencies that Alice detects and S is 
the subset of T that Alice checks. We assume that the state 
equals this ideal state and add the error later. Then, following 
the proof of Theorem 4 in ll63~l for (3 = 0, we obtain that the 
distance from uniform of one of the outputs with respect to 
Bob's system (given the other output) is bounded from above 

by 

2 - m - s/2 - h(smi - a)m -k)-i + 2c xp(-2e 2 (l - a)m) . 

If j3 > 0, the distance from uniform is zero. Thus, the 
statement follows by adding the distance of the ideal state 
to the real state. ■ 

Lemma 12 (Security for Bob): The protocol is perfectly se- 
cure for Bob. 

Proof: Let pa'yc be the state created by the protocol 
if Bob is honest. We consider a hypothetical protocol where 
Bob does not use any commitments. He stores all the qubits 
received from Alice. After Alice sends the set T, he chooses a 
basis 9 and measures his qubits corresponding to T to obtain 
if in basis 9, but does not yet measure the other qubits. Then 
he sends xj- and 9-r to Alice. After he gets the basis 9 from 
Alice he measures all his remaining qubits in Alice's basis 
9 to obtain if. Next, he chooses his input C G {0, 1} and 
constructs the sets I and Ii using 9 and 9 as in the protocol. 
After receiving /o,/i G J- from Alice, he computes zq = 
fo(x Io ) and z\ = . This results in a state a A 'Z a z x c, 

where Zq and Z\ are the values computed by Bob. We have 
ga'ZqZxC — OA'ZoZ^ ® oc and <j A 'z c g — Pa'yc- ■ 



Lemma 13 (Correctness): The protocol is perfectly correct. 
Proof: If both players are honest, then Zq, Z\ and 
C are independently distributed according to the required 
distributions. Furthermore, Bob always computes Zc as his 
output. ■ 

The following theorem is then immediately implied by 
Lemmas E] [12] and [13] 

Theorem 11: There exists a quantum protocol that uses 
K = 0(logl/e) commitments of size b, where nb = 0(k + 
log 1/e), and implements a ( 2 ) -OT fe with an error of at most e. 

VII. Conclusions 
References 

[1] S. Winkler and J. Wullschleger, "On the efficiency of classical and 
quantum oblivious transfer reductions," in CRYPTO, ser. Lecture Notes 
in Computer Science, vol. 6223. Springer, 2010, pp. 707-723. 

[2] A. C. Yao, "Protocols for secure computations," in Proceedings of the 
23rd Annual IEEE Symposium on Foundations of Computer Science 
(FOCS '82), 1982, pp. 160-164. 

[3] O. Goldreich and R. Vainish, "How to solve any protocol problem - an 
efficiency improvement," in Advances in Cryptology — CRYPTO '87, 
ser. Lecture Notes in Computer Science. Springer- Verlag, 1988, pp. 
73-86. 

[4] J. Kilian, "Founding cryptography on oblivious transfer," in Proceed- 
ings of the 20th Annual ACM Symposium on Theory of Computing 
(STOC '88). ACM Press, 1988, pp. 20-31. 

[5] M. O. Rabin, "How to exchange secrets by oblivious transfer," Harvard 
Aiken Computation Laboratory, Tech. Rep. TR-81, 1981. 

[6] S. Even, O. Goldreich, and A. Lempel, "A randomized protocol for 
signing contracts," Commun. ACM, vol. 28, no. 6, pp. 637-647, 1985. 

[7] C. Crepeau, "Equivalence between two flavours of oblivious transfers," 
in Advances in Cryptology — EUROCRYPT 1987, ser. Lecture Notes in 
Computer Science. Springer- Verlag, 1988, pp. 350-354. 

[8] G. Brassard, C. Crepeau, and J.-M. Robert, "Information theoretic reduc- 
tions among disclosure problems," in Proceedings of the 27th Annual 
IEEE Symposium on Foundations of Computer Science (FOCS '86), 
1986, pp. 168-173. 

[9] C. Crepeau and M. Santha, "On the reversibility of oblivious transfer," 
in Advances in Cryptology — EUROCRYPT '91, ser. Lecture Notes in 
Computer Science, vol. 547. Springer, 1991, pp. 106-113. 
[10] G. Brassard, C. Crepeau, and M. Santha, "Oblivious transfers and 
intersecting codes," IEEE Transactions on Information Theory, vol. 42, 
no. 6, pp. 1769-1780, 1996. 
[11] Y. Dodis and S. Micali, "Lower bounds for oblivious transfer reduc- 
tions," in Advances in Cryptology — EUROCRYPT '99, ser. Lecture 
Notes in Computer Science, vol. 1592. Springer- Verlag, 1999, pp. 
42-55. 

[12] S. Wolf and J. Wullschleger, "New monotones and lower bounds in 
unconditional two-party computation." in Advances in Cryptology — 
CRYPTO '05, ser. Lecture Notes in Computer Science, vol. 3621, 2005, 
pp. 467^77. 

[13] C. Crepeau and J. Kilian, "Achieving oblivious transfer using weakened 
security assumptions (extended abstract)," in Proceedings of the 29th An- 
nual IEEE Symposium on Foundations of Computer Science (FOCS '88), 
1988, pp. 42-52. 

[14] C. Crepeau, K. Morozov, and S. Wolf, "Efficient unconditional oblivious 
transfer from almost any noisy channel." in Proceedings of Fourth 
Conference on Security in Communication Networks (SCN), ser. Lecture 
Notes in Computer Science, vol. 3352. Springer- Verlag, 2004, pp. 47- 
59. 

[15] I. Damgard, S. Fehr, K. Morozov, and L. Salvail, "Unfair noisy channels 
and oblivious transfer." in Theory of Cryptography Conference — 
TCC '04, ser. Lecture Notes in Computer Science, vol. 2951. Springer- 
Verlag, 2004, pp. 355-373. 

[16] J. Wullschleger, "Oblivious transfer from weak noisy channels," in 
Theory of Cryptography, ser. Lecture Notes in Computer Science, 
O. Reingold, Ed. Springer Berlin / Heidelberg, 2009, vol. 5444, pp. 
332-349. 

[17] S. Wolf and J. Wullschleger, "Zero-error information and applications 
in cryptography," in Proceedings of 2004 IEEE Information Theory 
Workshop (ITW '04), 2004. 



16 



[18] A. Nascimento and A. Winter, "On the oblivious transfer capacity of 
noisy correlations," in Proceedings of the IEEE International Symposium 
on Information Theory (ISIT '06), 2006. 

[19] C. Cachin, "On the foundations of oblivious transfer," in Advances 
in Cryptology — EUROCRYPT '98, ser. Lecture Notes in Computer 
Science, vol. 1403. Springer- Verlag, 1998, pp. 361-374. 

[20] I. Damgard, J. Kilian, and L. Salvail, "On the (im)possibility of 
basing oblivious transfer and bit commitment on weakened security 
assumptions," in Advances in Cryptology — EUROCRYPT '99, ser. 
Lecture Notes in Computer Science, vol. 1592. Springer- Verlag, 1999, 
pp. 56-73. 

[21] G. Brassard, C. Crepeau, and S. Wolf, "Oblivious transfers and privacy 
amplification," Journal of Cryptology, vol. 16, no. 4, pp. 219-237, 2003. 

[22] I. Damgard, S. Fehr, L. Salvail, and C. Schaffner, "Oblivious transfer 
and linear functions," in Advances in Cryptology — CRYPTO '06, ser. 
Lecture Notes in Computer Science, vol. 41 17. Springer- Verlag, 2006. 

[23] J. Wullschleger, "Oblivious-transfer amplification," in Advances in Cryp- 
tology - EUROCRYPT 2007, ser. Lecture Notes in Computer Science, 
M. Naor, Ed. Springer Berlin / Heidelberg, 2007, vol. 4515, pp. 555- 
572. 

[24] C. H. Bennett, G. Brassard, C. Crepeau, and H. Skubiszewska, "Practical 
quantum oblivious transfer," in Advances in Cryptology — CRYPTO '91, 
ser. Lecture Notes in Computer Science, vol. 576. Springer, 1992, pp. 
351-366. 

[25] A. C.-C. Yao, "Security of quantum protocols against coherent measure- 
ments," in Proceedings of the 27th Annual ACM Symposium on Theory 
of Computing (STOC '95). ACM Press, 1995, pp. 67-75. 

[26] I. Damgard, S. Fehr, C. Lunemann, L. Salvail, and C. Schaffner, "Im- 
proving the security of quantum protocols," in Advances in Cryptology 
— CRYPTO '09, ser. Lecture Notes in Computer Science. Springer- 
Verlag, 2009. 

[27] D. Unrah, "Universally composable quantum multi-party computation," 
in Advances in Cryptology EUROCRYPT 2010, ser. Lecture Notes in 
Computer Science, H. Gilbert, Ed. Springer Berlin / Heidelberg, 2010, 
vol. 6110, pp. 486-505. 

[28] D. Beaver, "Correlated pseudorandomness and the complexity of private 
computations," in Proceedings of the 28th Annual ACM Symposium on 
Theory of Computing (STOC '96). ACM Press, 1996, pp. 479-488. 

[29] U. Maurer, "Information-theoretic cryptography," in Advances in Cryp- 
tology CRYPTO 99, ser. Lecture Notes in Computer Science, M. Wiener, 
Ed. Springer Berlin / Heidelberg, 1999, vol. 1666, pp. 785-785. 

[30] S. Wolf and J. Wullschleger, "New monotones and lower bounds in un- 
conditional two-party computation." IEEE Transactions on Information 
Theory, vol. 54, no. 6, pp. 2792-2797, 2008. 

[31] V. Prabhakaran and M. Prabhakaran, "Assisted common information," 
in Information Theory Proceedings (ISIT), 2010 IEEE International 
Symposium on, june 2010, pp. 2602 -2606. 

[32] , "Assisted common information: Further results," in Information 

Theory Proceedings (ISIT), 2011 IEEE International Symposium on, 31 
201 1-aug. 5 2011, pp. 2861 -2865. 

[33] K. Kurosawa, W. Kishimoto, and T. Koshiba, "A combinatorial approach 
to deriving lower bounds for perfectly secure oblivious transfer reduc- 
tions," Information Theory, IEEE Transactions on, vol. 54, no. 6, pp. 
2566 -2571, june 2008. 

[34] A. Beimel and T. Malkin, "A quantitative approach to reductions in 
secure computation," in Theory of Cryptography, ser. Lecture Notes 
in Computer Science, M. Naor, Ed., vol. 2951. Springer Berlin / 
Heidelberg, 2004, pp. 238-257. 

[35] C. Crepeau and G. Savvides, "Optimal reductions between oblivious 
transfers using interactive hashing," in Advances in Cryptology — 
EUROCRYPT '06, ser. Lecture Notes in Computer Science, vol. 4004. 
Springer- Verlag, 2006, pp. 201-221. 

[36] R. Ahlswede and I. Csiszar, "On oblivious transfer capacity," ISIT, 2007, 
2007. 

[37] D. Mayers, "Unconditionally secure quantum bit commitment is impos- 
sible," Physical Review Letters, vol. 78, pp. 3414-3417, 1997. 

[38] H. K. Lo and H. F. Chau, "Is quantum bit commitment really possible?" 
Physical Review Letters, vol. 78, pp. 3410-3413, 1997. 

[39] H. K. Lo, "Insecurity of quantum secure computations," Physical Review 
A, vol. 56, p. 1154, 1997. 

[40] L. Salvail, C. Schaffner, and M. Sotakova, "On the power of two-party 
quantum cryptography," in ASIACRYPT, ser. Lecture Notes in Computer 
Science, M. Matsui, Ed., vol. 5912. Springer, 2009, pp. 70-87. 

[41] G. Brassard, C. Crepeau, and M. Santha, "Oblivious transfers and 
intersecting codes," IEEE Transactions on Information Theory, special 
issue on coding and complexity, vol. 42, no. 6, pp. 1769-1780, 1996. 



[42 
[43 

[44 

[45 
[46 

[47 

[48 
[49 

[50 
[51 

[52 
[53 
[54 

[55 

[56 
[57 

[58 
[59 

[60 

[61 
[62 

[63 
[64 

[65 

[66 

[67 



G. Savvides, "Interactive hashing and reductions between oblivious 
transfer variants," Ph.D. dissertation, McGill University, Montreal, 2007. 
Y. Dodis, L. Reyzin, and A. Smith, "Fuzzy extractors: How to generate 
strong keys from biometrics and other noisy data," in EUROCRYPT, ser. 
Lecture Notes in Computer Science, C. Cachin and J. Camenisch, Eds., 
vol. 3027. Springer, 2004, pp. 523-540. 

R. Renner, "Security of quantum key distribution," Ph.D. disserta- 
tion, ETH Zurich, Switzerland, 2005, available at arxfv.org/abs/quant- 
ph/05 12258. 

N. Nisan and D. Zuckerman, "Randomness is linear in space," J. 
Comput. Syst. ScL, vol. 52, pp. 43-52, February 1996. 
R. Renner and S. Wolf, "Simple and tight bounds for information 
reconciliation and privacy amplification," in Advances in Cryptology — 
ASIACRYPT 2005, ser. Lecture Notes in Computer Science, vol. 3788. 
Springer-Verlag, 2005, pp. 199-216. 

D. Beaver, "Precomputing oblivious transfer," in Advances in Cryptology 
— EUROCRYPT '95, ser. Lecture Notes in Computer Science, vol. 963. 
Springer-Verlag, 1995, pp. 97-109. 

O. Goldreich, Foundations of Cryptography. Cambridge University 
Press, 2004, vol. II: Basic Applications. 

M. Fitzi, S. Wolf, and J. Wullschleger, "Pseudo-signatures, broadcast, 
and multi-party computation from correlated randomness," in Advances 
in Cryptology — CRYPTO '04, ser. Lecture Notes in Computer Science, 
vol. 3152. Springer-Verlag, 2004, pp. 562-578. 

P. Gacs and J. Kbrner, "Common information is far less than mutual 
information," Probl. Contr. Inform. Theory, vol. 2, pp. 149-162, 1973. 
S. Wolf and J. Wullschleger, "Oblivious transfer is symmetric," in 
Advances in Cryptology — EUROCRYPT '06, ser. Lecture Notes in 
Computer Science, vol. 4004. Springer-Verlag, 2006, pp. 222-232. 
S. Winkler, "Classical and quantum secure two-party computation," 
Ph.D. dissertation, ETH Zurich, 2012. 

L. Salvail, C. Schaffner, and M. Sotakova, "On the power of two-party 
quantum cryptography," arXiv:0902.4036. 2009. 

R. Canetti, "Universally composable security: A new paradigm for 
cryptographic protocols," in Proceedings of the 42th Annual IEEE 
Symposium on Foundations of Computer Science (FOCS '01), 2001, pp. 
136-145, updated Version available at http://eprint.iacr.org/2000/067 
R. Dowsley, J. van de Graaf, J. Mller-Quade, and A. C. A. Nascimento, 
"On the composability of statistically secure bit commitments," Cryp- 
tology ePrint Archive, Report 2008/457, 2008. 

A. Winter, A. C. A. Nascimento, and H. Imai, "Commitment capacity 
of discrete memoryless channels." in IMA Int. Conf, 2003, pp. 35-51. 
R. Alicki and M. Fannes, "Continuity of quantum conditional informa- 
tion," Journal of Physics A: Mathematical and General, vol. 37, no. 5, 
p. L55, 2004. 

H. Araki and E. H. Lieb, "Entropy inequalities," Comm. Math. Phys., 
vol. 18, pp. 160-170, 1970. 

S. Winkler, M. Tomamichel, S. Hengl, and R. Renner, "Impossibility 
of growing quantum bit commitments," Phys. Rev. Lett., vol. 107, p. 
090502, Aug 2011. 

S. Fehr and C. Schaffner, "Composing quantum protocols in a classical 
environment," in Proceedings of the 6th Theory of Cryptography Con- 
ference on Theory of Cryptography, ser. TCC '09. Berlin, Heidelberg: 
Springer-Verlag, 2009, pp. 350-367. 

W. F. Stinespring, "Positive functions on C* -algebras," Proc. Amer. 
Math. Sac, vol. 6, pp. 211-216, 1955. 

R. Konig, S. Wehner, and J. Wullschleger, "Unconditional security from 
noisy quantum storage," Information Theory, IEEE Transactions on, 
vol. 58, no. 3, pp. 1962 -1984, march 2012. 

N. Bouman and S. Fehr, "Sampling in a quantum population, and 
applications," arXiv:0907.4246v4, 2009. 

L. Babai and T. P. Hayes, "Near-independence of permutations and an 
almost sure polynomial bound on the diameter of the symmetric group," 
SODA '05, 2005. 

W. Hoeffding, "Probability inequalities for sums of bounded random 
variables," Journal of the American Statistical Association, vol. 58, no. 
301, pp. 13-30, 1963. 

N. J. Bouman and S. Fehr, "Sampling in a quantum population, and 
applications," in CRYPTO, ser. Lecture Notes in Computer Science, vol. 
6223. Springer, 2010, pp. 724-741. 

M. Prabhakaran and M. Rosulek, "Cryptographic complexity of multi- 
party computation problems: Classifications and separations," in Ad- 
vances in Cryptology CRYPTO 2008, ser. Lecture Notes in Computer 
Science, D. Wagner, Ed. Springer Berlin / Heidelberg, 2008, vol. 5157, 
pp. 262-279. 



17 



Appendix 
A. Malicious OT implies Semi-honest OT 

In the malicious model the adversary is not required to 
follow the protocol. Therefore, a protocol that is secure in 
the malicious model protects against a much bigger set of 
adversaries. On the other hand, the security definition in 
the malicious model only implies that for any (also semi- 
honest) adversary there exists a malicious simulator for the 
ideal primitive, i.e., the simulator is allowed to change his 
input or output from the ideal primitive. Since this is not 
allowed in the semi-honest model, security in the malicious 
model does not imply security in the semi-honest model in 
general. For implementations of however, it has been 

shown in [67 1 that this implication does hold, because if the 
adversary is semi-honest, a simulator can only change the input 
with small probability. Otherwise, he is not able to correctly 
simulate the input or the output of the protocol. Therefore, 
any impossibility result for OT in the semi-honest model also 
implies impossibility in the malicious model. 

We will state these result for (™) -OT with explicit bounds 
on the errors. 

Lemma A.l: If a protocol implementing (™)-OT fc is secure 
in the malicious model with an error of at most e, then it is 
also secure in the semi-honest model with an error of at most 
(2n + l)e. 

Proof: From the security of the protocol we know that 
there exists a (malicious) simulator that simulates the view 
of honest Alice. If two honest players execute the protocol 
on input (xq, . . . , x n -i) and c, then with probability 1 — s 
the receiver gets y — x c . Thus, the simulator can change the 
input Xi with probability at most 2e for all < i < n — 1. We 
construct a new simulator that executes the malicious simulator 
but never changes the input. This simulation is (2n+l)e-close 
to the distribution of the protocol. From the security of the 
protocol we also know that there exists a (malicious) simulator 
that simulates the view of honest Bob. If two honest players 
execute the protocol with uniform input (Xq, . . . , X n -i) and 
choice bit c, then with probability 1 — e the receiver gets y = 
x c . If the simulator changes the choice bit c, he does not learn 
x c and the simulated y is not equal to x c with probability 
at least 1/2. Therefore, the simulator can change c or the 
output with probability at most 4e. As above we can construct 
a simulator for the semi-honest model with an error of at most 
5e. M 
Note that some of our proofs could easily be adapted to the 
malicious model to get slightly better bounds than the ones 
that follow from the combination of the bounds in the semi- 
honest model and Lemma IA.1I 



Definition 6: For random variables X, Y and e £ [0, 1), we 
define 

r^, av (X\Y) := min max Isupp (PxniY-v)\ an d 
maxV 1 ; a : Pr[o]>i-e y ey 1 FFV *"\*-v)\ 

r min( x \ Y ) ■= nD ™ ^Py(y)maxP XO | Y=a (x) . 

1 1'. ±T 1 1 i I _L — S 

Note that H^ in (X\Y) -\ogr^ in (X\Y) and 

H^ ax (X\Y) = logr* max (X\Y). 

The following lemma shows that the smooth conditional 
max-entropy is subadditive. 

Lemma 14 (Subadditivity): Let X, Y, Z be random vari- 
ables and e, e' > such that e + e' £ [0, 1). Then 

H^{XY\Z) < H^{X\Z) + H^ ax (Y\XZ) . 

Proof: Let fl be an event with Pr[f2] > 1 — e and 

max\supp{P Yn \x=x,z=z)\ < r £ m&K {Y\XZ) . 

Let n' be an event with Pr[Q'] > 1 - e' and Q' <-> (X, Z) <-> 
(Y, fi) such that 

max |supp (P X n>\z=z)\ < r £ m&x {X\Z) . 

Z 

Then Prput, Q!]>l-e-e' and 

r e + a i(XY\Z) < max |supp (P XYSK i'\z=z)\ ■ 

z 1 

We have 

max\sapp(P X Y{ifi>\z=e)\ 

Z 

< max(|supp(P xo ,| Z=2 )| • maxIsupptPy^ix^z^)!) 

Z X 

< max|supp(P X fi'|z= z )| • max|supp (Pyq\x=x,z=z)\ ■ 



Next, we show that conditioning on an additional random 
variable cannot reduce the conditional smooth entropies. 

Lemma 15: Let X, Y, Z be random variables and e £ [0, 1). 
Then 

H^(X\Z) > H^JX\YZ) . 
Proof: Let Q, be an event with Pr[0] > 1 — e. Then 
^2 p z{z) ma,xP X n\z=z(x) 

Z 

= y^-Pz i z ) max ^2 p Y\z=z {y)Pxn\Y= y ,z=z (x) 
z y 

< y2Pz(z)maxP X n\Y=y,z=z( x ) ■ 

x >y 



B. Smooth Entropies 

In the following we prove different properties of the en- 
tropies H^ in (X\Y) and H^ iax (X\Y). Note that some of these 
properties (or special cases of them) have already been shown 
in l46l . 

We first introduce the following auxiliary quantities. 

'And any other so-called deviation revealing functionality. 



The Shannon entropy satisfies the inequality H(X\Z) — 
H{X\YZ) = I{X;Y\Z) < H(Y\Z). The next lemma shows 
that this property can be generalized to the smooth min- and 
max-entropy. 

Lemma 16: Let X, Y, Z be random variables and e, e' > 
such that e + s' £ [0, 1). Then 

H^ in (X\Z) - H^ X (X\YZ) < H £ + £ '(Y\Z) . 



18 



Proof: Let Q, be an event with Pr[f2] > 1 — e and 

z ) ^ '"min 

(X|Z) . 

z 

Let f2' be an event with Pr[f2'] > 1 — e' such that 

max|supp(P XO '|y= a ,z= z )| < rf nax (X|yZ) . 
Then Pr[fi, fi'] > 1 - e - el and 

<+f (Y\Z) < ^Pz(z)maxP ynn ,| Z=z (y) . 

z 

We have for all z 

maxP xra o'|z=^(a;, y) < maxPxyn|z=z(z, 2/) 
< m&xP X n\z=z(x) ■ 

X 

Furthermore, we have 

\{x : P X YQQ'\Z=z{x,y) > 0}| < \supp(P XQ , lY =y,Z=z)\ 

Together, we obtain 

r e A({Y\Z) <Y, p z{z)™zxPYnn-\z= z {y) 

£. / y 

Z 

= ^2Pz(z)(ma,x^2P XY nn>\z=z(x,y)) 

Z X 

< Y] Pz(z)(max |supp (P X qw \Y= y ,z=z) I 

' VyZ 

Z 

■ maxP X yon/|z= z (^,y)) 

< max |supp (Px-n'|r=3/,2= z )| 

y,z 

• Pz(2) maxP XO | Z=z (a;) 

Z 

< r s min (X\Z) ■ ri^XlYZ) . 



Note that the proof also implies the stronger inequality 
H^ in (XY\Z) - H£ m (X\YZ) < H^'(Y\Z), which cor- 
responds in a certain sense to the inequality H(X\Z) — 
H(X\YZ) < H(XY\Z) for the Shannon entropy. 

The following lemma shows that the smooth min-entropy 
H^ lin (X\Y) satisfies a data processing inequality, i.e., it 
cannot be decreased by additionally processing Y. 

Lemma 17 (Data Processing): Let X, Y, Z be random vari- 
ables with X o Y o Z and e e [0, 1). Then 

H e min (X\Y) < H £ min (X\YZ) . 

Proof: Let ft be an event with Pr[f2] > 1 — e and <s-> 
XY O Z such that 

y 

We have 

PxQ\Y=y,Z=z(x) = P X \Y=y,Z=z{x)Pa,\X=x,Y=y,Z=z 

— P X \Y=y{ x )Pn\X=x,Y=y 

— Pxn\Y=yi x ) ■ 



Thus, we obtain 

r £ min (X\YZ) <Y,PYz{y,z)m^P m Y=y.Z=z{x) 



y.z 



^2P Y (y)ma,xP xfllY =y(x) . 



The smooth max -entropy P^ ax (Jf |F) also satisfies a data 
processing inequality, i.e., it cannot be decreased by addition- 
ally processing Y. 

Lemma 18: Let X, Y, Z be random variables with X O 
Y O Z and e e [0, 1). Then 

f£«(AlY) < H s max (X\YZ) . 

Proof: Let f2 be an event such that 

r^ax( x \ YZ ) = max|supp(P XO |Y= a ,z= z )| ■ 

y,z 

For all y, we define e y := Pn\y =y - Let il y be an event such 
that 

r^(X\Z,Y = y) = max |supp (P X n y \Y=y,z=z)\ ■ 

Let z y be such that Pn \Y=y,z=z is maximal. We define 

Cl v with Pn y \x=x,Y=y : = p n B |x=x,Y= y ,z=2- Then, we have 
Pn y \Y= y > p n v \Y= y > 1 - s v and P X n y \Y= v ,z=z > 
^xn v |y= v ,*r=* = p xn y \Y= y an d, therefore, 

r^ ax (X|Z,r = y) > r% ax (X\Y = y) . 
Thus, we get 

r e ma JX\YZ) = max|supp(P xfi | y =y .z=z)\ 

V,z 



> maxr^ ax (X|Z,y = y) 

y 

> maxr^ ax (X|r = y) 

> ^ ax (^|y) . 



The smooth max-entropy satisfies the following monotonic- 
ity properties. 

Lemma 19: Let X, Y, Z be random variables and e 6 [0, 1). 
Then 

H^(XY\Z) > H^(X\Z) > H^(X\YZ) . 

Proof: Let 51 be an event with Pr[f2] > 1 — e. Then the 
first inequality follows from 

max|supp(P X yn|z= z )| > max |supp (P X si\ z=»)\ ■ 

z z 

and the second inequality from 

max|supp(P xn |y = ^ z=2 )| < max|supp(P X n|ir=*)l ■ 



C. Technical Lemmas 

Lemma [TJ Let (X, Y) and (X, Y) be random variables dis- 
tributed according to P X y and P X y, and let D(P X y, P X y) — 
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e. Then 

H(X\Y) > H(X\Y) - elog \X\ - h(e) . 

Proof: There exist random variables A, B such that 

P xr | A=0 = Pxy\b=o and Pr ^ = 0] = Pr I S = 0] = 1 - e. 
Thus, using the monotonicity of the entropy and the fact that 
H((\X)) < log \X\ we get that 

H(X\Y) > (1 - e)iJ(X|f^ = 0) + eiJ(X|f^l = 1) 
> (1- e)H(X\YB = 0) 
= H(X\YB) - eH(X\YB = 1) 
= H(XB\Y) - H(B\Y) - eH(X\YB = 1) 
>H(X\Y) -h(e)-elog\X\ . 

■ 

Lemma 20: Let pxoXxB satisfy conditions d38l l and d39l >. 
If there exists a measurement G on system B such that 
Pr[G(p B ) = X{\ > 1 -e, then 

Proof: Let ctxoXiBC be the state in conditions <j38j 
and ( 13 91 , Then d32l implies 

Pr[G(o- B ) = X x ] > Pr[G(p B ) = X x ] - s > 1 - 2e . 

In the state crx XiBC"> we can guess the first bit of Xi^c" 
if we output the first bit of G(a B ) whenever C = and a 
random bit otherwise. We succeed with a probability of 

9>y Pr[C = 1] + Pr[G((7 B ) = X x A G' = 0] 

=- • (1 - Pr[G' = 0]) + Pr[G' = 0] 
— Pr[G(cr S ) 7^ X\ A G' = 0] 

>- • (1 - Pr[G' = 0]) + Pr[G' = 0] - 2e 

1 Pr[G' = 0] „ 
= - H - - - 2e . 

2 2 

Since Xx_c" is uniform with respect to the rest, we have 
g < | and, therefore, Pr[G' = 0] < 4e. This implies that for 

ZxaXiBC ■= t~x ® crx ± B ® we have 

D{<jx 1 _ c ,x c ,bc',6'x 1 _ c ,x c ,bc') < 4e 

and hence 

D(px XiS, Tx ® PX x b) < DlpXoXiB, O-XoXiS) 

< 5e . 



